registry  /  @agentstash/mcp  /  0.2.0

@agentstash/mcp@0.2.0

MCP server + install CLI for Agent Stash — shared memory for Claude Code, Cursor, and Codex

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `agentstash init` configures Claude/Cursor to launch this MCP server and installs a package-owned Claude skill. When launched, MCP tools synchronize caller-supplied project memory and progress data with Agent Stash; no covert attack chain was found.

Static reason
No blocking static signals were detected.
Trigger
User runs `agentstash init`, then a configured AI client launches the MCP server and calls its tools.
Impact
Persists an MCP integration and sends tool-supplied project context to the configured service.
Mechanism
Explicit AI-agent extension setup plus hosted memory synchronization.
Rationale
No concrete malware behavior was found, but explicit first-party AI-agent extension setup is a warn-class lifecycle risk under the firewall policy.
Evidence
package.jsonsrc/bin.jssrc/index.jssrc/cli/init.jssrc/cli/merge-json.jssrc/cli/targets/claude.jssrc/cli/targets/cursor.jssrc/cli/skill-template.md~/.agentstash/config.json~/.claude/settings.json~/.claude/skills/agent-stash/SKILL.md~/.cursor/mcp.json
Network endpoints1
agentstash.ai

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/cli/init.js` explicitly writes Agent Stash setup to Claude and Cursor.
  • `src/cli/targets/claude.js` installs `~/.claude/skills/agent-stash/SKILL.md`.
  • `src/cli/merge-json.js` adds an MCP entry that runs `npx -y @agentstash/mcp`.
  • `src/index.js` sends user/agent-supplied memories and logs to Agent Stash.
Evidence against
  • `package.json` contains no preinstall/install/postinstall lifecycle hook.
  • CLI mutations occur only through explicit `init`; `uninstall` removes only managed entries.
  • Shell calls are fixed `git config` or `claude` CLI arguments, with no shell interpolation.
  • No credential-file harvesting, dynamic code loading, eval, remote payload execution, or destructive behavior found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 54.6 KB of source, external domains: agentstash.ai

Source & flagged code

2 flagged · loading source
src/index.jsView file
20} from "@modelcontextprotocol/sdk/types.js"; L21: import { execSync } from "node:child_process"; L22: import path from "node:path";
High
Child Process

Package source references child process execution.

src/index.jsView on unpkg · L20
10* AGENT_STASH_API_KEY (required) — your API key from agentstash.ai L11: * AGENT_STASH_URL (optional) — defaults to https://agentstash.ai L12: * AGENT_STASH_PROJECT (optional) — override project namespace ... L20: } from "@modelcontextprotocol/sdk/types.js"; L21: import { execSync } from "node:child_process"; L22: import path from "node:path"; L23: L24: const API_BASE = (process.env.AGENT_STASH_URL || "https://agentstash.ai").replace(/\/$/, ""); L25: const API_KEY = process.env.AGENT_STASH_API_KEY;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/index.jsView on unpkg · L10

Findings

3 High2 Medium4 Low
HighChild Processsrc/index.js
HighShell
HighSame File Env Network Executionsrc/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings