by covibes
Your autonomous engineering team in a CLI. Point Zeroshot at an issue, walk away, and return to production-grade code. Supports Claude Code, OpenAI Codex, OpenCode, and Gemini CLI.
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
# Add to your Claude Code skills
git clone https://github.com/covibes/zeroshotGuides for using ai agents skills like zeroshot.
Last scanned: 4/28/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@isaacs/brace-expansion: @isaacs/brace-expansion has Uncontrolled Resource Consumption",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "basic-ftp: Basic FTP has Path Traversal Vulnerability in its downloadToDir() method",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "blessed-contrib: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "handlebars: Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash-es: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "mocha: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "npm: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "serialize-javascript: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"severity": "high"
},
{
"type": "npm-audit",
"message": "simple-git: simple-git Affected by Command Execution via Option-Parsing Bypass",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "undici: Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
"severity": "high"
},
{
"type": "npm-audit",
"message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"severity": "medium"
}
],
"status": "FAILED",
"scannedAt": "2026-04-28T06:29:37.794Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}🎉 New in v5.4: Now supports OpenCode CLI! Use Claude, Codex, Gemini, or OpenCode as your AI provider. Also supports GitHub, GitLab, Jira, and Azure DevOps as issue backends. See Providers and Multi-Platform Issue Support.
Zeroshot is an open-source AI coding agent orchestration CLI that runs multi-agent workflows to autonomously implement, review, test, and verify code changes.
It runs a planner, an implementer, and independent validators in isolated environments, looping until changes are verified or rejected with actionable, reproducible failures.
Built for tasks where correctness matters more than speed.
zeroshot run 123 # GitHub issue number
zeroshot run feature.md # Markdown file
zeroshot run "Add dark mode" # Inline text
Or describe a complex task inline:
zeroshot run "Add optimistic locking with automatic retry: when updating a user,
retry with exponential backoff up to 3 times, merge non-conflicting field changes,
and surface conflicts with details. Handle the ABA problem where version goes A->B->A."
| Approach | Writes Code | Runs Tests | Blind Validation | Iterates Until Verified |
|---|---|---|---|---|
| Chat-based assistant | ✅ | ⚠️ | ❌ | ❌ |
| Single coding agent | ✅ | ⚠️ | ❌ | ⚠️ |
| Zeroshot (multi-agent) | ✅ | ✅ | ✅ | ✅ |
Platforms: Linux, macOS. Windows (native/WSL) is deferred while we harden reliability and multi-provider correctness.
npm install -g @covibes/zeroshot
Requires: Node 18+, at least one provider CLI (Claude Code, Codex, Gemini, Opencode).
# Install one or more providers
npm i -g @anthropic-ai/claude-code
npm i -g @openai/codex
npm i -g @google/gemini-cli
# Opencode: see https://opencode.ai
# Authenticate with the provider CLI
claude login # Claude
codex login # Codex
gemini auth login # Gemini
opencode auth login # Opencode
# GitHub auth (for issue numbers)
gh auth login
Zeroshot shells out to provider CLIs. Pick a default and override per run:
zeroshot providers
zeroshot providers set-default codex
zeroshot run 123 --provider gemini
See docs/providers.md for setup, model levels, and Docker mounts.
See docs/provider-cli-helper.md for the strict TypeScript provider helper,
the zeroshot-agent-provider JSON executable contract, and the boundary with
Orchestra.
Single-agent sessions degrade. Context gets buried under thousands of tokens. The model optimizes for "done" over "correct."
Zeroshot fixes this with isolated agents that check each other's work. Validators can't lie about code they didn't write. Fail the check? Fix and retry until it actually works.
Zeroshot owns a tool-neutral handoff contract for --pr and --ship flows. It does not know which tool produced a gate. Repos configure required gates, validators publish matching qualityGates evidence, and the git-pusher trigger refuses to wake until every configured gate has fresh passing evidence after IMPLEMENTATION_READY.
Gate config can come from run options or repo settings:
{
"ship": {
"requiredQualityGates": [
{
"id": "repo-quality",
"scope": "repo",
"description": "Repository quality gate",
"command": "repo-quality --changed --json"
}
]
}
}
The id and optional scope are generic. A repo may bind repo-quality to any local quality command, a CI status command, or another quality command outside Zeroshot. Validators receive the configured gate list and must publish entries with status, completedAt or timestamp, and evidence.command, evidence.exitCode, and string evidence.output. Failing or unavailable commands mean approved: false with gate status FAIL or UNAVAILABLE.
The pusher fails closed before commit, push, PR creation, or merge when a configured gate is missing, failing, unavailable, stale, older than IMPLEMENTATION_READY, or lacks usable evidence. If no requiredQualityGates are configured, Zeroshot preserves its existing validator consensus behavior.
Zeroshot performs best when tasks have clear acceptance criteria.
| Scenario | Use | Why |
|---|---|---|
| Add rate limiting (sliding window, per-IP, 429) | Yes | Clear requirements |
| Refactor auth to JWT | Yes | Defined end state |
| Fix login bug | Yes | Success is measurable |
| Fix 2410 lint violations | Yes | Clear completion criteria |
| Make the app faster | No | Needs exploration first |
| Improve the codebase | No | No acceptance criteria |
| Figure out flaky tests | No | Exploratory |
Rule of thumb: if you cannot describe what "done" means, validators cannot verify it.
# Run
zeroshot run 123 # GitHub issue
zeroshot run feature.md # Markdown file
zeroshot run "Add dark mode" # Inline text
# Isolation
zeroshot run 123 --worktree # git worktree
zeroshot run 123 --docker # container
# Automation (--ship implies --pr implies --worktree)
zeroshot run 123 --pr # worktree + create PR
zeroshot run 123 --ship # PR + auto-merge on approval
# Background mode
zeroshot run 123 -d
zeroshot run 123 --ship -d
# Control
zeroshot list
zeroshot status <id>
zeroshot logs <id> -f
zeroshot resume <id>
zeroshot stop <id>
zeroshot kill <id>
# Providers
zeroshot providers
zeroshot providers set-default codex
# Agent library
zeroshot agents list
zeroshot agents show <name>
# Maintenance
zeroshot clean
zeroshot purge
Zeroshot works with GitHub, GitLab, Jira, and Azure DevOps. Just paste the issue URL or key. When working in a git repository, zeroshot automatically detects the issue provider from your git remote URL. No configuration needed!
# GitHub
zeroshot run 123
zeroshot run https://github.com/org/repo/issues/123
# GitLab (cloud and self-hosted)
zeroshot run https://gitlab.com/org/repo/-/issues/456
zeroshot run https://gitlab.mycompany.com/org/repo/-/issues/789
# Jira
zeroshot run PROJ-789
zeroshot run https://company.atlassian.net/browse/PROJ-789
# Azure DevOps
zeroshot run https://dev.azure.com/org/project/_workitems/edit/999
Requires: CLI tools (gh, glab, jira, or az) for the platform you use. See issue-providers README for setup and self-hosted instances.
Important for --pr mode: Run zeroshot from the target repository directory. PRs are created on the git remote of your current directory. If you run from a different repo, zeroshot will warn you and skip the "Closes #X" reference (the PR is still created, but won't auto-close the issue
zeroshot is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by covibes. Your autonomous engineering team in a CLI. Point Zeroshot at an issue, walk away, and return to production-grade code. Supports Claude Code, OpenAI Codex, OpenCode, and Gemini CLI. It has 1,507 GitHub stars.
zeroshot failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.
Clone the repository with "git clone https://github.com/covibes/zeroshot" and add it to your Claude Code skills directory (see the Installation section above).
zeroshot is primarily written in JavaScript. It is open-source under covibes on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh zeroshot against similar tools.
No comments yet. Be the first to share your thoughts!