registry  /  zyn-ai  /  1.4.1

zyn-ai@1.4.1

Production-ready AI agent for CLI, TUI, and external platforms (WhatsApp/Baileys, Discord, Telegram) with real tool execution and automation

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 748 KB of source, external domains: accounts.google.com, aiplatform.googleapis.com, api-inference.huggingface.co, api.anthropic.com, api.cloudflare.com, api.cohere.com, api.example.com, api.fireworks.ai, api.github.com, api.groq.com, api.inference.net, api.mistral.ai, api.novita.ai, api.openai.com, api.perplexity.ai, api.replicate.com, api.together.xyz, api.x.ai, cdn.soymaycol.icu, chat.deepseek.com, chat.qwen.ai, dashscope-intl.aliyuncs.com, docs.example.com, example.com, generativelanguage.googleapis.com, git.empresa.com, github.com, gitlab.com, gmail.googleapis.com, html.duckduckgo.com, llm.chutes.ai, lmstudio.ai, models.github.ai, news.ycombinator.com, oauth2.googleapis.com, ollama.com, opencode.ai, openidconnect.googleapis.com, openrouter.ai, raw.githubusercontent.com, react.dev, router.huggingface.co, www.googleapis.com, www.w3.org

Source & flagged code

4 flagged · loading source
src/tools/index.jsView file
2const path = require('path'); L3: const { spawn, execSync } = require('child_process'); L4:
High
Child Process

Package source references child process execution.

src/tools/index.jsView on unpkg · L2
2const path = require('path'); L3: const { spawn, execSync } = require('child_process'); L4: ... L28: buildCloneUrl, L29: getApiBaseUrl, L30: listGitSecrets, ... L245: function printTools(lang) { L246: console.log(t(lang, 'Herramientas disponibles:', 'Available tools:')); L247: for (const tool of TOOL_DEFINITIONS) {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

src/tools/index.jsView on unpkg · L2
zyn.jsView file
1#!/usr/bin/env node L2: const { main } = require('./src/cli/runtime'); L3: main().catch(err => {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

zyn.jsView on unpkg · L1
src/providers/deepseek/sha3_wasm_bg.wasmView file
path = src/providers/deepseek/sha3_wasm_bg.wasm kind = wasm_module sizeBytes = 26612 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

src/providers/deepseek/sha3_wasm_bg.wasmView on unpkg

Findings

3 High5 Medium4 Low
HighChild Processsrc/tools/index.js
HighShell
HighRemote Agent Bridgesrc/tools/index.js
MediumDynamic Requirezyn.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulesrc/providers/deepseek/sha3_wasm_bg.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings