registry  /  zyn-ai  /  1.5.2

zyn-ai@1.5.2

Production-ready AI agent for CLI and TUI with real tool execution, 28+ providers, 217+ models, memory, and automation

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 56 file(s), 922 KB of source, external domains: accounts.google.com, aiplatform.googleapis.com, api-inference.huggingface.co, api.anthropic.com, api.cloudflare.com, api.cohere.com, api.example.com, api.fireworks.ai, api.github.com, api.groq.com, api.inference.net, api.mistral.ai, api.novita.ai, api.openai.com, api.perplexity.ai, api.replicate.com, api.together.xyz, api.x.ai, cdn.soymaycol.icu, chat.deepseek.com, chat.qwen.ai, dashscope-intl.aliyuncs.com, docs.example.com, example.com, generativelanguage.googleapis.com, git.empresa.com, github.com, gitlab.com, gmail.googleapis.com, html.duckduckgo.com, llm.chutes.ai, lmstudio.ai, mcp.deepwiki.com, models.github.ai, news.ycombinator.com, oauth2.googleapis.com, ollama.com, opencode.ai, openidconnect.googleapis.com, openrouter.ai, raw.githubusercontent.com, react.dev, router.huggingface.co, www.googleapis.com, www.w3.org, zyn.soymaycol.icu

Source & flagged code

5 flagged · loading source
src/tools/index.jsView file
2const path = require('path'); L3: const { spawn, execSync } = require('child_process'); L4:
High
Child Process

Package source references child process execution.

src/tools/index.jsView on unpkg · L2
2const path = require('path'); L3: const { spawn, execSync } = require('child_process'); L4: ... L59: buildCloneUrl, L60: getApiBaseUrl, L61: listGitSecrets, ... L268: function printTools(lang) { L269: console.log(t(lang, 'Herramientas disponibles:', 'Available tools:')); L270: for (const tool of TOOL_DEFINITIONS) {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

src/tools/index.jsView on unpkg · L2
zyn.jsView file
1#!/usr/bin/env node L2: const { main } = require('./src/cli/runtime'); L3: main().catch((err) => {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

zyn.jsView on unpkg · L1
src/cli/commands.jsView file
1481const safeName = name.replace(/[^a-z0-9@/._-]/gi, ''); L1482: execSync(`npm install --prefix "${pluginsDir}" ${safeName}`, { stdio: 'pipe', timeout: 60000 }); L1483: console.log(' ' + t(state.language, 'pluginsInstalledSuccess', { name }));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/cli/commands.jsView on unpkg · L1481
src/providers/deepseek/sha3_wasm_bg.wasmView file
path = src/providers/deepseek/sha3_wasm_bg.wasm kind = wasm_module sizeBytes = 26612 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

src/providers/deepseek/sha3_wasm_bg.wasmView on unpkg

Findings

4 High5 Medium4 Low
HighChild Processsrc/tools/index.js
HighShell
HighRemote Agent Bridgesrc/tools/index.js
HighRuntime Package Installsrc/cli/commands.js
MediumDynamic Requirezyn.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulesrc/providers/deepseek/sha3_wasm_bg.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings