AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an MCP aggregation/proxy CLI with explicit setup, consolidation, registry, HTTP, and stdio transport capabilities.
Static reason
One or more suspicious static signals were detected.
Trigger
User invokes 1mcp CLI commands such as serve, proxy, registry, app consolidate, or cli-setup
Impact
No evidence of credential exfiltration, hidden install-time execution, persistence, or destructive behavior
Mechanism
User-directed MCP server/proxy and configuration management
Rationale
Static inspection found powerful but package-aligned MCP proxy/configuration features that require explicit user CLI invocation. Scanner hits for network, env vars, secret patterns, and file writes map to normal registry/local proxy/config setup and defensive redaction code, not malicious behavior.
Evidence
package.jsonbuild/index.jsbuild/commands/cliSetup/setupFiles.jsbuild/commands/app/consolidate.jsbuild/transport/transportFactory.jsbuild/transport/stdioProxyTransport.jsbuild/domains/registry/mcpRegistryClient.jsbuild/utils/validation/sanitization.js~/.codex/1MCP.md~/.codex/hooks.json~/.codex/AGENTS.md~/.claude/1MCP.md~/.claude/settings.json~/.claude/CLAUDE.md.codex/1MCP.md.codex/hooks.jsonAGENTS.md.claude/1MCP.md.claude/settings.jsonCLAUDE.md
Network endpoints4
localhost:3050/mcpregistry.modelcontextprotocol.iodocs.1mcp.appgithub.com/1mcp-app/agent
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- build/commands/cliSetup/setupFiles.js can write Codex/Claude startup and hook files, but only via explicit cli-setup command
- build/transport/transportFactory.js creates stdio transports that execute user-configured MCP server commands
- build/commands/app/consolidate.js rewrites supported app MCP configs after user confirmation or --yes
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts
- build/index.js is a yargs CLI entrypoint; import-time behavior only registers commands then parses invoked CLI args
- build/utils/validation/sanitization.js redacts secrets in errors/headers/args rather than harvesting them
- Network use is package-aligned: local MCP proxy/server URLs and MCP registry API client
- Config and AI-agent file mutations are explicit CLI features, not unconsented lifecycle control-surface changes
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcebuild/utils/validation/sanitization.jsView file
412patternName = generic_password
severity = medium
line = 412
matchedText = urlObj.p...ED';
Medium
Secret Pattern
Package contains a possible secret pattern.
build/utils/validation/sanitization.jsView on unpkg · L412Findings
3 Medium4 Low
MediumSecret Patternbuild/utils/validation/sanitization.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings