ZeroLeaks
ZeroLeaks SDK

ZeroLeaks SDK

Run hosted red-team scans against the exact agent, models, tools, memory, and middleware used by your application.

ZeroLeaks SDK

@zeroleaks/sdk connects the hosted ZeroLeaks attack engine to your application code. Runtime scans execute every probe through your real agent while the SDK preserves conversation state and reports actual tool calls and results.

Version 0.2.2 makes the complete production probe catalog the default for runtime scans, while preserving concurrent isolated sessions and stalled-worker detection. Upgrade with bun add @zeroleaks/sdk@^0.2.2; no application code changes are required.

import { ZeroLeaks, createRuntimeTarget } from "@zeroleaks/sdk";

const zeroleaks = new ZeroLeaks();
const target = createRuntimeTarget({
  definition: {
    name: "Production support agent",
    provider: "custom",
    tools: productionToolDefinitions,
  },
  invoke: ({ messages, sessionId, signal }) =>
    runProductionAgent({ messages, sessionId, signal }),
  reset: (sessionId) => resetAgentSession(sessionId),
});

const { report } = await zeroleaks.runtimeScans.run(target);
console.log(report.overallScore, report.toolTrace);

Choose a scan path

PathBest forWhat ZeroLeaks exercises
Runtime scansApplication code, CI, stagingYour real model configuration, instructions, memory, middleware, tools, and execution loop
AI SDK adapterAI SDK Agent or ToolLoopAgentFull AI SDK tool schemas, executions, results, and multi-turn state
OpenAI adapterResponses API or Chat CompletionsNative OpenAI request settings and local function-tool execution
Endpoint scansAlready-deployed HTTP agentsProduction HTTP contract, authentication, response parsing, and declared tools
Prompt scansA system prompt before an application existsHosted model simulation using the ZeroLeaks prompt scan engine
Skill scansAgent skills and manifestsStatic and behavioral analysis of repositories, URLs, or ZIP archives

Production fidelity

Runtime scans use a relay protocol. The attack engine creates a probe, your SDK process claims it, and the SDK calls your target locally. The model or tool credentials never need to be sent to ZeroLeaks, and the target does not need a public URL.

The SDK automatically:

  • separates extraction, injection, and agent-probe sessions;
  • runs the complete production probe catalog by default;
  • executes independent sessions concurrently while preserving ordering inside each multi-turn session;
  • resets state when the engine starts a new conversation;
  • passes the full conversation history to every invocation;
  • includes all configured tools by default;
  • preserves complete input and output schemas;
  • records tool arguments, results, failures, and provider-executed calls;
  • handles polling, retries, stalled-worker detection, cancellation, abort signals, and report retrieval.

Package design

  • Node.js 18+ and Bun 1+
  • ESM and CommonJS
  • Typed errors and API responses
  • Optional peer integrations for ai and openai
  • MIT-licensed SDK; hosted orchestration and attack intelligence remain server-side

Start here

On this page