registry  /  @agentwatch-web3/cli  /  0.2.0

@agentwatch-web3/cli@0.2.0

AgentWatch CLI — MCP security proxy, HMAC audit chain, L0/L1 risk detection, and tamper-proof log verification

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface, but the package has an explicit user-command agent config mutation flow. It installs itself as a proxy for an OKX MCP server in local agent configs and records/uploads security events when configured.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `agentwatch init` or starts `agentwatch proxy`/implicit proxy CLI.
Impact
User-approved interception of MCP tool traffic for detection; no install-time hijack or covert exfiltration found.
Mechanism
explicit MCP proxy setup and runtime security event logging/upload
Rationale
Source inspection shows a legitimate MCP security proxy with explicit init-time agent config mutation and runtime logging/upload capabilities, but no unconsented install-time control-surface hijack, hidden payload, credential harvesting, or covert endpoint. Per policy this is a warn-level lifecycle/capability risk rather than malicious.
Evidence
package.jsondist/packages/local/src/cli/index.jsdist/packages/local/src/cli/commands/init.jsdist/packages/local/src/cli/lib/mcp-config.jsdist/packages/local/src/cli/lib/paths.jsdist/packages/local/src/cli/proxy-runtime.jsdist/packages/local/src/cloud/supabaseCloudTransport.jsdist/packages/local/src/proxy/MCPProxyCore.js~/.agentwatch/config.yaml~/.agentwatch/log.jsonl~/.agentwatch/agentwatch.db~/.agentwatch/agentwatch.pipe~/.onchainos/mcp.json~/Library/Application Support/Claude/mcp.json~/.cursor/mcp.json
Network endpoints2
kbjcikgoawxhotwwqtin.supabase.coagentwatch.dev/docs/blocked

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • Explicit `init` command writes `~/.agentwatch/config.yaml` and patches detected MCP configs for OnchainOS, Claude Desktop, and Cursor.
  • `dist/packages/local/src/cli/lib/mcp-config.js` replaces/creates the `okx` MCP server entry to run `npx -y @agentwatch-web3/cli --config ... -- ...`.
  • Runtime proxy creates `~/.agentwatch/agentwatch.pipe`, SQLite DB/log files, and spawns the configured downstream MCP process.
Evidence against
  • No npm install/preinstall/postinstall hook; only `prepublishOnly` is present.
  • MCP config mutation is behind explicit `agentwatch init`, not install-time or import-time execution.
  • Network upload is package-aligned telemetry to configured cloud endpoint and requires AgentWatch upload secret/config.
  • Sensitive field masking exists before logging/uploading; no broad credential harvesting or hidden exfiltration found.
  • Child process execution is the declared proxy function using user/config-provided downstream command.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 408 KB of source, external domains: agentwatch.dev, kbjcikgoawxhotwwqtin.supabase.co

Source & flagged code

1 flagged · loading source
dist/packages/local/src/cli/proxy-runtime.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @agentwatch-web3/cli@0.1.2 matchedIdentity = npm:QGFnZW50d2F0Y2gtd2ViMy9jbGk:0.1.2 similarity = 0.643 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/packages/local/src/cli/proxy-runtime.jsView on unpkg

Findings

1 High1 Medium5 Low
HighPrevious Version Dangerous Deltadist/packages/local/src/cli/proxy-runtime.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings