registry  /  @0xmonaco/mcp-server  /  0.8.14

@0xmonaco/mcp-server@0.8.14

MCP server for the Monaco SDK

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package exposes documented MCP tools for Monaco market data, trading, and vault operations, with authenticated actions gated by user-supplied environment variables.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the bin/MCP server and, for authenticated actions, supplies MONACO_PRIVATE_KEY and MONACO_CLIENT_ID then invokes a tool.
Impact
User-authorized trading, deposits, withdrawals, approvals, and market-data access through Monaco/Sei APIs.
Mechanism
documented Monaco MCP trading and vault client
Rationale
The wallet/private-key and transaction primitives are real but are documented, package-aligned MCP capabilities rather than hidden install/import-time behavior or exfiltration. Static inspection found no lifecycle execution, persistence, payload staging, or unconsented agent control-surface mutation.
Evidence
package.jsonREADME.mddist/bin.js
Network endpoints5
api.monaco.xyzstaging.apimonaco.xyzevm-rpc.sei-apis.comevm-rpc-testnet.sei-apis.comlocalhost:8545

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/bin.js registers authenticated trading/vault MCP tools including place_market_order, vault_approve, vault_deposit, vault_withdraw.
  • dist/bin.js reads MONACO_PRIVATE_KEY and MONACO_CLIENT_ID from environment to enable authenticated tools.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; bin is ./dist/bin.js only.
  • README.md documents public-only and authenticated modes, required env vars, networks, and trading/vault tools.
  • dist/bin.js only starts an MCP stdio server on runtime invocation; authenticated tools are registered only when MONACO_PRIVATE_KEY is set.
  • Network endpoints are Monaco/Sei aligned: api.monaco.xyz, staging.apimonaco.xyz, evm-rpc.sei-apis.com, evm-rpc-testnet.sei-apis.com.
  • No evidence of credential exfiltration, hidden payload download, persistence, destructive filesystem writes, or AI-agent config mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 1 file(s), 1.19 MB of source, external domains: 4byte.sourcify.dev, abitype.dev, api.etherscan.io, api.monaco.xyz, develop.apimonaco.xyz, docs.0xmonaco.com, docs.soliditylang.org, evm-rpc-testnet.sei-apis.com, evm-rpc.sei-apis.com, github.com, jimmy.warting.se, json-schema.org, oxlib.sh, seiscan.io, staging.apimonaco.xyz, testnet.seiscan.io, viem.sh

Source & flagged code

3 flagged · loading source
dist/bin.jsView file
1#!/usr/bin/env node L2: import{createRequire as Ea}from"node:module";var Aa=Object.create;var{getPrototypeOf:qa,defineProperty:IA,getOwnPropertyNames:Ia}=Object;var La=Object.prototype.hasOwnProperty;func... L3: Content-Disposition: form-data; name="`;return $.forEach((G,W)=>typeof G=="string"?Y.push(X+BA(W)+`"\r ... L12: `)).replace(/\n/g,"%0A").replace(/\r/g,"%0D").replace(/"/g,"%22"),EX=($,J,Q)=>{if(J.length<Q)throw TypeError(`Failed to execute '${$}' on 'FormData': ${Q} arguments required, but o... L13: --`+$;let J=new Uint8Array($.length);for(let Q=0;Q<$.length;Q++)J[Q]=$.charCodeAt(Q),this.boundaryChars[J[Q]]=!0;this.boundary=J,this.lookbehind=new Uint8Array(this.boundary.length... L14: `).join(`\r ... L22: || (${W} === "string" && ${X} && ${X} == +${X} && !(${X} % 1))`).assign(V,m$._`+${X}`);return;case"boolean":Y.elseIf(m$._`${X} === "false" || ${X} === 0 || ${X} === null`).assign(V... L23: || ${W} === "boolean" || ${X} === null`).assign(V,m$._`[${X}]`)}}}function QQ$({gen:$,parentData:J,parentDataProperty:Q},Y){$.if(m$._`${J} !== undefined`,()=>$.assign(m$._`${J}[${Q... L24: missingProperty: ${Y}, ... L46: `),{name:"InvalidDefinitionTypeError"})}}});var U1;var A9=o(()=
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/bin.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/bin.js L1: #!/usr/bin/env node L2: import{createRequire as Ea}from"node:module";var Aa=Object.create;var{getPrototypeOf:qa,defineProperty:IA,getOwnPropertyNames:Ia}=Object;var La=Object.prototype.hasOwnProperty;func... L3: Content-Disposition: form-data; name="`;return $.forEach((G,W)=>typeof G=="string"?Y.push(X+BA(W)+`"\r ... L12: `)).replace(/\n/g,"%0A").replace(/\r/g,"%0D").replace(/"/g,"%22"),EX=($,J,Q)=>{if(J.length<Q)throw TypeError(`Failed to execute '${$}' on 'FormData': ${Q} arguments required, but o... L13: --`+$;let J=new Uint8Array($.length);for(let Q=0;Q<$.length;Q++)J[Q]=$.charCodeAt(Q),this.boundaryChars[J[Q]]=!0;this.boundary=J,this.lookbehind=new Uint8Array(this.boundary.length... L14: `).join(`\r ... L22: || (${W} === "string" && ${X} && ${X} == +${X} && !(${X} % 1))`).assign(V,m$._`+${X}`);return;case"boolean":Y.elseIf(m$._`${X} === "false" || ${X} === 0 || ${X} === null`).assign(V... L23: || ${W} === "boolean" || ${X} === null`).assign(V,m$._`[${X}]`)}}}function QQ$({gen:$,parentData:J,parentDataProperty:Q},Y){$.if(m$._`${J} !== undefined`,()=>$.assign(m$._`${J}[${Q... L24: missingProperty: ${Y}, ... L46: `),{name:…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bin.jsView on unpkg · L1
65\r L66: `),Y=!1,X=!1,G;$.on("response",(W)=>{let{headers:V}=W;Y=V["transfer-encoding"]==="chunked"&&!V["content-length"]}),$.on("socket",(W)=>{let V=()=>{if(Y&&!X){let K=Error("Premature c... L67: `)}var fY=($)=>(J,Q,Y,X)=>{let G=Y?{...Y,async:!1}:{async:!1},W=J._zod.run({value:Q,issues:[]},G);if(W instanceof Promise)throw new OJ;if(W.issues.length){let V=new(X?.Err??$)(W.is...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/bin.jsView on unpkg · L65

Findings

2 Critical5 Medium6 Low
CriticalWallet Draindist/bin.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEvaldist/bin.js
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License