AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit `1mcp app consolidate <app>` / restore / serve command.
Impact
Selected AI-client control-surface configuration can be redirected to the local 1mcp proxy; no install-time or unconsented mutation is present.
Mechanism
User-invoked MCP client configuration consolidation and local proxy startup.
Rationale
Source establishes an explicit user-command AI-agent configuration mutation capability, not malware or install-time hijacking. Per policy, this warrants a warning despite safeguards and the absence of exfiltration or stealth behavior.
Evidence
package.jsonbuild/index.jsbuild/commands/app/consolidate.jsbuild/commands/app/restore.jsbuild/commands/mcp/install.jsbuild/commands/serve/serveBackground.jsbuild/utils/validation/sanitization.jsbuild/constants/paths.js
Network endpoints1
registry.modelcontextprotocol.io
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `build/commands/app/consolidate.js` explicitly replaces selected Claude Desktop/Cursor/VS Code MCP configuration files.
- The `app consolidate` path imports discovered server definitions, writes a 1mcp connection, and backs up originals.
- `build/commands/app/restore.js` restores those application configurations on an explicit CLI command.
- `build/commands/serve/serveBackground.js` can launch a detached background 1mcp runtime.
- `build/commands/mcp/install.js` fetches registry server metadata to add MCP servers to 1mcp configuration.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `build/index.js` only registers CLI commands; sensitive actions require runtime invocation.
- Consolidation requires named apps and normally shows a preview and confirmation; `--yes` is explicit.
- Consolidation creates backups and restores the original file if its write workflow fails.
- `build/utils/validation/sanitization.js` redacts credentials and sensitive headers for logs.
- No eval/vm/native loader or arbitrary shell-command execution was found; spawning re-invokes the package's own serve command.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcebuild/utils/validation/sanitization.jsView file
412patternName = generic_password
severity = medium
line = 412
matchedText = urlObj.p...ED';
Medium
Secret Pattern
Package contains a possible secret pattern.
build/utils/validation/sanitization.jsView on unpkg · L412Findings
3 Medium4 Low
MediumSecret Patternbuild/utils/validation/sanitization.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings