zx

JavaScript/TypeScript tool for writing shell scripts. zx provides the $`command` template tag to execute shell commands from JavaScript with proper error handling, output capture, and async support. Eliminates shell scripting pain points — handles quoting, error codes, parallel execution, and piping while staying in JavaScript/TypeScript. Built by Google.

Evaluated Mar 06, 2026 (0d ago) v8+
Homepage ↗ Repo ↗ Developer Tools scripting shell node javascript automation google devops
⚙ Agent Friendliness
70
/ 100
Can an agent use this?
🔒 Security
86
/ 100
Is it safe for agents?
⚡ Reliability
82
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
90
Error Messages
88
Auth Simplicity
100
Rate Limits
100

🔒 Security

TLS Enforcement
90
Auth Strength
88
Scope Granularity
85
Dep. Hygiene
88
Secret Handling
80

Shell injection risk with user-provided input — use quote() helper. Verbose mode logs commands including any secrets in arguments. Apache 2.0 license.

⚡ Reliability

Uptime/SLA
88
Version Stability
82
Breaking Changes
75
Error Recovery
85
AF Security Reliability

Best When

You need complex automation logic (conditionals, loops, JSON processing) that's painful in bash but natural in JavaScript — zx bridges shell and JS cleanly.

Avoid When

Simple shell scripts that are 5 lines or less — bash is more appropriate. Also avoid when portability to environments without Node.js is required.

Use Cases

  • Replace bash scripts with JavaScript/TypeScript for complex automation that needs conditional logic, JSON parsing, and error handling
  • Build agent automation pipelines that orchestrate shell commands with TypeScript type safety and proper error handling
  • Run parallel shell commands in agent CI scripts: await Promise.all([$`build`, $`test`, $`lint`])
  • Process command output as structured data — parse JSON, filter lines, transform output in JavaScript
  • Write cross-platform scripts that avoid bash-incompatibility issues between macOS/Linux/Windows

Not For

  • Simple one-liner scripts — plain bash is simpler for trivial commands
  • Production server runtime — zx is a scripting tool, not a production runtime
  • Performance-critical scripts where shell overhead is unacceptable — native Node.js child_process for performance-sensitive use

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

No authentication — local scripting tool.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Apache 2.0 licensed Google open source project.

Agent Metadata

Pagination
none
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • Shell injection is possible if user-provided data is interpolated in template tags — use $.({input}) or quote() helper for untrusted input; $`rm ${userInput}` is dangerous
  • zx v8 changed to ESM-only — .mjs files or package.json 'type: module' required; CommonJS scripts from zx v7 need updating
  • Default shell is bash on Unix — Windows uses cmd.exe; cross-platform scripts must use $.({shell: 'powershell'}) or test on target platforms
  • Command output includes trailing newlines — use .trim() on stdout/stderr when comparing strings or parsing values
  • Verbose mode ($.verbose = true) logs all commands and output — disable in scripts that handle secrets to avoid credential logging
  • Parallel execution with Promise.all() can overwhelm system resources for many concurrent processes — use p-limit or concurrency control for large parallel workloads

Alternatives

execa-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for zx.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5208
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered