registry  /  @1mcp/agent  /  0.34.2

@1mcp/agent@0.34.2

One MCP server to aggregate them all - A unified Model Context Protocol server implementation

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit `1mcp app consolidate <app>` / restore / serve command.
Impact
Selected AI-client control-surface configuration can be redirected to the local 1mcp proxy; no install-time or unconsented mutation is present.
Mechanism
User-invoked MCP client configuration consolidation and local proxy startup.
Rationale
Source establishes an explicit user-command AI-agent configuration mutation capability, not malware or install-time hijacking. Per policy, this warrants a warning despite safeguards and the absence of exfiltration or stealth behavior.
Evidence
package.jsonbuild/index.jsbuild/commands/app/consolidate.jsbuild/commands/app/restore.jsbuild/commands/mcp/install.jsbuild/commands/serve/serveBackground.jsbuild/utils/validation/sanitization.jsbuild/constants/paths.js
Network endpoints1
registry.modelcontextprotocol.io

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `build/commands/app/consolidate.js` explicitly replaces selected Claude Desktop/Cursor/VS Code MCP configuration files.
  • The `app consolidate` path imports discovered server definitions, writes a 1mcp connection, and backs up originals.
  • `build/commands/app/restore.js` restores those application configurations on an explicit CLI command.
  • `build/commands/serve/serveBackground.js` can launch a detached background 1mcp runtime.
  • `build/commands/mcp/install.js` fetches registry server metadata to add MCP servers to 1mcp configuration.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `build/index.js` only registers CLI commands; sensitive actions require runtime invocation.
  • Consolidation requires named apps and normally shows a preview and confirmation; `--yes` is explicit.
  • Consolidation creates backups and restores the original file if its write workflow fails.
  • `build/utils/validation/sanitization.js` redacts credentials and sensitive headers for logs.
  • No eval/vm/native loader or arbitrary shell-command execution was found; spawning re-invokes the package's own serve command.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 333 file(s), 1.94 MB of source, external domains: community-registry.modelcontextprotocol.io, docs.1mcp.app, experimental-registry.modelcontextprotocol.io, github.com, mcp.1mcp.app, registry.example.com, registry.modelcontextprotocol.io

Source & flagged code

1 flagged · loading source
build/utils/validation/sanitization.jsView file
412patternName = generic_password severity = medium line = 412 matchedText = urlObj.p...ED';
Medium
Secret Pattern

Package contains a possible secret pattern.

build/utils/validation/sanitization.jsView on unpkg · L412

Findings

3 Medium4 Low
MediumSecret Patternbuild/utils/validation/sanitization.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings