registry  /  @1mcp/agent  /  0.33.0

@1mcp/agent@0.33.0

One MCP server to aggregate them all - A unified Model Context Protocol server implementation

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an MCP aggregation/proxy CLI with explicit setup, consolidation, registry, HTTP, and stdio transport capabilities.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes 1mcp CLI commands such as serve, proxy, registry, app consolidate, or cli-setup
Impact
No evidence of credential exfiltration, hidden install-time execution, persistence, or destructive behavior
Mechanism
User-directed MCP server/proxy and configuration management
Rationale
Static inspection found powerful but package-aligned MCP proxy/configuration features that require explicit user CLI invocation. Scanner hits for network, env vars, secret patterns, and file writes map to normal registry/local proxy/config setup and defensive redaction code, not malicious behavior.
Evidence
package.jsonbuild/index.jsbuild/commands/cliSetup/setupFiles.jsbuild/commands/app/consolidate.jsbuild/transport/transportFactory.jsbuild/transport/stdioProxyTransport.jsbuild/domains/registry/mcpRegistryClient.jsbuild/utils/validation/sanitization.js~/.codex/1MCP.md~/.codex/hooks.json~/.codex/AGENTS.md~/.claude/1MCP.md~/.claude/settings.json~/.claude/CLAUDE.md.codex/1MCP.md.codex/hooks.jsonAGENTS.md.claude/1MCP.md.claude/settings.jsonCLAUDE.md
Network endpoints4
localhost:3050/mcpregistry.modelcontextprotocol.iodocs.1mcp.appgithub.com/1mcp-app/agent

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • build/commands/cliSetup/setupFiles.js can write Codex/Claude startup and hook files, but only via explicit cli-setup command
  • build/transport/transportFactory.js creates stdio transports that execute user-configured MCP server commands
  • build/commands/app/consolidate.js rewrites supported app MCP configs after user confirmation or --yes
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts
  • build/index.js is a yargs CLI entrypoint; import-time behavior only registers commands then parses invoked CLI args
  • build/utils/validation/sanitization.js redacts secrets in errors/headers/args rather than harvesting them
  • Network use is package-aligned: local MCP proxy/server URLs and MCP registry API client
  • Config and AI-agent file mutations are explicit CLI features, not unconsented lifecycle control-surface changes
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 326 file(s), 1.90 MB of source, external domains: community-registry.modelcontextprotocol.io, docs.1mcp.app, experimental-registry.modelcontextprotocol.io, github.com, mcp.1mcp.app, registry.example.com, registry.modelcontextprotocol.io

Source & flagged code

1 flagged · loading source
build/utils/validation/sanitization.jsView file
412patternName = generic_password severity = medium line = 412 matchedText = urlObj.p...ED';
Medium
Secret Pattern

Package contains a possible secret pattern.

build/utils/validation/sanitization.jsView on unpkg · L412

Findings

3 Medium4 Low
MediumSecret Patternbuild/utils/validation/sanitization.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings