AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface, but the package has an explicit user-command agent config mutation flow. It installs itself as a proxy for an OKX MCP server in local agent configs and records/uploads security events when configured.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `agentwatch init` or starts `agentwatch proxy`/implicit proxy CLI.
Impact
User-approved interception of MCP tool traffic for detection; no install-time hijack or covert exfiltration found.
Mechanism
explicit MCP proxy setup and runtime security event logging/upload
Rationale
Source inspection shows a legitimate MCP security proxy with explicit init-time agent config mutation and runtime logging/upload capabilities, but no unconsented install-time control-surface hijack, hidden payload, credential harvesting, or covert endpoint. Per policy this is a warn-level lifecycle/capability risk rather than malicious.
Evidence
package.jsondist/packages/local/src/cli/index.jsdist/packages/local/src/cli/commands/init.jsdist/packages/local/src/cli/lib/mcp-config.jsdist/packages/local/src/cli/lib/paths.jsdist/packages/local/src/cli/proxy-runtime.jsdist/packages/local/src/cloud/supabaseCloudTransport.jsdist/packages/local/src/proxy/MCPProxyCore.js~/.agentwatch/config.yaml~/.agentwatch/log.jsonl~/.agentwatch/agentwatch.db~/.agentwatch/agentwatch.pipe~/.onchainos/mcp.json~/Library/Application Support/Claude/mcp.json~/.cursor/mcp.json
Network endpoints2
kbjcikgoawxhotwwqtin.supabase.coagentwatch.dev/docs/blocked
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- Explicit `init` command writes `~/.agentwatch/config.yaml` and patches detected MCP configs for OnchainOS, Claude Desktop, and Cursor.
- `dist/packages/local/src/cli/lib/mcp-config.js` replaces/creates the `okx` MCP server entry to run `npx -y @agentwatch-web3/cli --config ... -- ...`.
- Runtime proxy creates `~/.agentwatch/agentwatch.pipe`, SQLite DB/log files, and spawns the configured downstream MCP process.
Evidence against
- No npm install/preinstall/postinstall hook; only `prepublishOnly` is present.
- MCP config mutation is behind explicit `agentwatch init`, not install-time or import-time execution.
- Network upload is package-aligned telemetry to configured cloud endpoint and requires AgentWatch upload secret/config.
- Sensitive field masking exists before logging/uploading; no broad credential harvesting or hidden exfiltration found.
- Child process execution is the declared proxy function using user/config-provided downstream command.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/packages/local/src/cli/proxy-runtime.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @agentwatch-web3/cli@0.1.2
matchedIdentity = npm:QGFnZW50d2F0Y2gtd2ViMy9jbGk:0.1.2
similarity = 0.643
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/packages/local/src/cli/proxy-runtime.jsView on unpkgFindings
1 High1 Medium5 Low
HighPrevious Version Dangerous Deltadist/packages/local/src/cli/proxy-runtime.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings