registry  /  @1mcp/agent  /  0.34.1

@1mcp/agent@0.34.1

One MCP server to aggregate them all - A unified Model Context Protocol server implementation

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `1mcp cli-setup --codex` or `1mcp cli-setup --claude`; `serve --background` is separately user-invoked.
Impact
Persists a package command in selected AI-client startup hooks; source does not show stealth, exfiltration, or install-time activation.
Mechanism
Explicit CLI-managed agent hook and startup-document configuration
Rationale
The package is not malicious by the install-time boundary, but it has a real explicit-user agent configuration mutation capability. Per policy, this warrants a warning rather than a block.
Evidence
package.jsonbuild/index.jsbuild/commands/cliSetup/cliSetup.jsbuild/commands/cliSetup/setupFiles.jsbuild/commands/serve/serveBackground.jsbuild/utils/validation/sanitization.jsbuild/core/instructions/instructionsDistribution.js
Network endpoints1
registry.modelcontextprotocol.io

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `build/commands/cliSetup/setupFiles.js` writes global or repo Codex/Claude hook and startup files.
  • Explicit `cli-setup --codex` adds a SessionStart command hook: `1mcp instructions`.
  • Global setup targets `~/.codex/hooks.json` and `~/.codex/AGENTS.md`; repo setup targets `.codex/hooks.json` and `AGENTS.md`.
  • `build/commands/serve/serveBackground.js` can spawn a detached copy of the package only for user-invoked `serve --background`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • CLI setup requires exactly one explicit `--codex` or `--claude` flag.
  • The setup code preserves unrelated hooks and deduplicates only its own `1mcp instructions` hook.
  • Registry networking is package-aligned, defaulting to `https://registry.modelcontextprotocol.io`.
  • `build/utils/validation/sanitization.js` redacts tokens, credentials, headers, and sensitive environment values rather than harvesting them.
  • No eval/vm/native loader or confirmed credential-exfiltration path found in inspected runtime sources.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 333 file(s), 1.94 MB of source, external domains: community-registry.modelcontextprotocol.io, docs.1mcp.app, experimental-registry.modelcontextprotocol.io, github.com, mcp.1mcp.app, registry.example.com, registry.modelcontextprotocol.io

Source & flagged code

2 flagged · loading source
build/utils/validation/sanitization.jsView file
412patternName = generic_password severity = medium line = 412 matchedText = urlObj.p...ED';
Medium
Secret Pattern

Package contains a possible secret pattern.

build/utils/validation/sanitization.jsView on unpkg · L412
build/commands/serve/serveBackground.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @1mcp/agent@0.33.0 matchedIdentity = npm:QDFtY3AvYWdlbnQ:0.33.0 similarity = 0.925 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/commands/serve/serveBackground.jsView on unpkg

Findings

1 High3 Medium4 Low
HighPrevious Version Dangerous Deltabuild/commands/serve/serveBackground.js
MediumSecret Patternbuild/utils/validation/sanitization.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings