AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime behavior queries Italian Parliament open-data endpoints through MCP/CLI tools; the only shell execution is an explicit user-invoked CLI workflow for Senato bill text conversion.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs italianparliament-mcp MCP server, Cloudflare Worker, or italianparliament CLI commands.
Impact
Package can make network requests to parliament-related endpoints and, for one CLI subcommand, write a requested markdown output file.
Mechanism
SPARQL/HTTP data retrieval and optional user-invoked PDF conversion
Rationale
Static inspection shows a legitimate MCP/CLI package for Italian Parliament data with package-aligned networking and no install-time execution or covert collection/exfiltration. Suspicious primitives are user-invoked and documented, not an unconsented attack chain.
Evidence
package.jsondist/index.jsdist/cli.jsdist/worker.jsREADME.md
Network endpoints6
dati.camera.it/sparqldati.senato.it/sparqlwww.camera.itwww.senato.itdocumenti.camera.it/apps/emendamenti/italianparliament-mcp.andy-pr.workers.dev/mcp
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/cli.js has explicit bill-text fetch using execFile for agent-browser and lit plus writeFile to user --out.
- dist/worker.js exposes a Cloudflare Worker MCP HTTP endpoint with permissive CORS for /mcp.
Evidence against
- package.json has no install/preinstall/postinstall hooks; only prepublishOnly build.
- dist/index.js starts an MCP stdio server and registers parliament query tools only when invoked.
- Network use is package-aligned SPARQL/Italian Parliament/document endpoints: dati.camera.it, dati.senato.it, camera.it, senato.it, documenti.camera.it.
- No credential/env harvesting, persistence, destructive behavior, broad agent config mutation, or remote payload download/execute found.
- dist/cli.js child_process usage is confined to explicit local CLI bill-text fetch command for browser/PDF conversion prerequisites.
Behavioral surface
ChildProcessEvalFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
4 flagged · loading sourcedist/worker.jsView file
622patternName = generic_password
severity = medium
line = 622
matchedText = )`,enabl...,`\r
Medium
4|| (${a} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(s,(0,V._)`+${o}`);return;case"boolean":n.elseIf((0,V._)`${o} === "false" || ${o} === 0 || ${o} === null`).as...
L5: || ${a} === "boolean" || ${o} === null`).assign(s,(0,V._)`[${o}]`)}}}function GI({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,V._)`${t} !== undefined`,()=>e.assign((0,V._)`...
L6: missingProperty: ${n},
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/worker.jsView on unpkg · L4dist/index.jsView file
7596patternName = generic_password
severity = medium
line = 7596
matchedText = password...d]",
Medium
dist/cli.jsView file
7442patternName = generic_password
severity = medium
line = 7442
matchedText = password...d]",
Medium
Findings
5 Medium7 Low
MediumSecret Patterndist/worker.js
MediumNetwork
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.js
MediumSecret Patterndist/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/worker.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings