registry  /  zouroboros-cli  /  2.2.0

zouroboros-cli@2.2.0

Unified CLI for Zouroboros

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No malicious install-time attack surface was found. The package does perform first-party AI skill laydown into a Skills directory after explicit CLI commands, which is an agent extension lifecycle risk but not an unconsented hijack.

Static reason
No blocking static signals were detected.
Trigger
User runs `zouroboros init` or `zouroboros skills install`; network calls require invoking bundled skill scripts.
Impact
Can add Zouroboros skill files to a user/workspace Skills directory and send user-provided review prompts/code to configured model providers during skill execution.
Mechanism
Explicit first-party skill installation and package-aligned model API calls.
Rationale
Static inspection supports a warning for explicit first-party agent skill setup, not a publish block. The risky primitives are user-invoked and package-aligned, with no concrete malicious chain found.
Evidence
package.jsondist/index.jsdist/commands/init.jsdist/commands/skills.jsdist/utils/skills-laydown.jsskills/consensus-gate/scripts/consensus-gate.tsskills/agent-model-healer/scripts/healer.tsskills/consensus-gate/scripts/diversity-arbiter.ts~/.zouroboros/config.json~/.zouroboros/.env~/.zouroboros/logs~/.zouroboros/seeds~/.zouroboros/results~/Skills<workspace>/Skills
Network endpoints6
api.synthetic.new/openai/v1/chat/completionsapi.x.ai/v1/chat/completionsopenrouter.ai/api/v1/chat/completionsopencode.ai/zen/v1/chat/completionsapi.zo.computer/zo/askapi.zo.computer/mcp

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/commands/init.js runs installBundledSkills during explicit `zouroboros init`.
  • dist/commands/skills.js exposes explicit `skills install` that copies bundled skills to workspace/~/Skills.
  • dist/utils/skills-laydown.js recursively cpSyncs bundled skill directories into the chosen destination.
  • Bundled skills include user-invoked scripts that call model/provider APIs with env API keys.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/index.js only registers commander subcommands; no install-time behavior.
  • Network calls are package-aligned model/Zo API calls in explicit skill/CLI workflows.
  • No credential harvesting, stealth persistence, destructive action, or remote payload loading found.
  • Scanner eval hit is a regex rule in diversity-arbiter.ts, not executed dynamic eval.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 44 file(s), 427 KB of source, external domains: api.openai.com, api.synthetic.new, api.x.ai, api.zo.computer, github.com, opencode.ai, openrouter.ai

Source & flagged code

3 flagged · loading source
skills/consensus-gate/scripts/diversity-arbiter.tsView file
81const DANGEROUS_PATTERNS: { rx: RegExp; severity: ArbiterClaim["severity"]; reason: string }[] = [ L82: { rx: /\beval\s*\(/, severity: "high", reason: "eval() can execute arbitrary code from untrusted strings." }, L83: { rx: /\bnew\s+Function\s*\(/, severity: "high", reason: "new Function() is dynamic-eval and bypasses static analysis." },
Low
Eval

Package source references a known benign dynamic code generation pattern.

skills/consensus-gate/scripts/diversity-arbiter.tsView on unpkg · L81
dist/utils/optional-package.jsView file
8try { L9: return (await import(pkg)); L10: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/utils/optional-package.jsView on unpkg · L8
skills/consensus-gate/scripts/judge-calibration.pyView file
path = skills/consensus-gate/scripts/judge-calibration.py kind = build_helper sizeBytes = 14330 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/consensus-gate/scripts/judge-calibration.pyView on unpkg

Findings

6 Medium5 Low
MediumDynamic Requiredist/utils/optional-package.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperskills/consensus-gate/scripts/judge-calibration.py
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEvalskills/consensus-gate/scripts/diversity-arbiter.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings