registry  /  @ateam-ai/mcp  /  0.4.2

@ateam-ai/mcp@0.4.2

A-Team MCP Server — build, validate, and deploy multi-agent solutions from any AI environment

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. At runtime, an authenticated MCP caller can cause the package to fetch a caller-supplied URL and forward its content to the A-Team backend. A build operation also automatically updates CLAUDE.md in the selected solution repository.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User or agent invokes ateam_upload_connector_files or ateam_build_and_run after explicit authentication.
Impact
Could expose data reachable by the MCP host through an unrestricted URL fetch or alter the selected repository's agent instructions; neither behavior runs at npm install.
Mechanism
User-directed remote fetch/upload plus automatic agent-document repository write
Rationale
The scanner's malicious credential-exfiltration claim is not supported as covert behavior: environment credentials are used by the declared API client. The package is not malicious by static evidence, but it has unresolved authenticated SSRF-like and agent-extension lifecycle risk.
Evidence
package.jsonsrc/index.jssrc/api.jssrc/server.jssrc/tools.jssrc/agentDoc.jsCLAUDE.md
Network endpoints2
api.ateam-ai.comadas-backend:4000

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/tools.js:3013 fetches an unrestricted user-supplied file.url, then uploads its text to the platform.
  • src/tools.js:2619 automatically invokes ateam_write_agent_doc during build_and_run.
  • src/tools.js:3478 patches CLAUDE.md in the selected solution GitHub repository.
  • src/tools.js:4011 requires explicit authentication before tenant-aware operations.
Evidence against
  • package.json has no preinstall, install, postinstall, or other lifecycle hook.
  • src/index.js only starts an MCP stdio server or explicit --http server.
  • src/api.js sends configured API credentials as headers to the configured A-Team API client endpoint.
  • No filesystem harvesting, shell execution, eval/vm use, binary loading, or stealth persistence was found in inspected source.
Behavioral surface
Source
CryptoEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 266 KB of source, external domains: 127.0.0.1, api.ateam-ai.com, app.ateam-ai.com, ateam-ai.com, chatgpt.com, claude.ai, claude.com, dev-api.ateam-ai.com, mcp.ateam-ai.com

Source & flagged code

2 flagged · loading source
src/tools.jsView file
51// Transient — keep polling. Log at debug level if requested. L52: if (process.env.MCP_DEBUG_POLLS) console.warn(`[pollDeployJob:${label}] poll error (will retry): ${err.message}`); L53: } ... L189: description: L190: "Authenticate with A-Team. Required before any tenant-aware operation (reading solutions, deploying, testing, etc.). The user can get their API key at https://mcp.ateam-ai.com/get-... L191: inputSchema: { ... L411: }, L412: metadata: { L413: type: "object", ... L729: description: L730: "Scaffold a new MCP connector with server.js + package.json + README. " + L731: "Eliminates ~50% of identical boilerplate (MCP server setup, tool registration, " +
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

src/tools.jsView on unpkg · L51
51Trigger-reachable chain: manifest.main -> src/index.js -> src/server.js -> src/tools.js L51: // Transient — keep polling. Log at debug level if requested. L52: if (process.env.MCP_DEBUG_POLLS) console.warn(`[pollDeployJob:${label}] poll error (will retry): ${err.message}`); L53: } ... L189: description: L190: "Authenticate with A-Team. Required before any tenant-aware operation (reading solutions, deploying, testing, etc.). The user can get their API key at https://mcp.ateam-ai.com/get-... L191: inputSchema: { ... L411: }, L412: metadata: { L413: type: "object", ... L729: description: L730: "Scaffold a new MCP connector with server.js + package.json + README. " + L731: "Eliminates ~50% of identical boilerplate (MCP server setup, tool registration, " +
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/tools.jsView on unpkg · L51

Findings

2 Critical3 Medium3 Low
CriticalCredential Exfiltrationsrc/tools.js
CriticalTrigger Reachable Dangerous Capabilitysrc/tools.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings