registry  /  @ateam-ai/mcp  /  0.4.0

@ateam-ai/mcp@0.4.0

A-Team MCP Server — build, validate, and deploy multi-agent solutions from any AI environment

AI Security Review

scanned 15d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an A-Team MCP server whose network and credential handling are aligned with explicit authentication and user-invoked deployment/admin tools.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs ateam-mcp/node src/index.js and invokes MCP tools.
Impact
User-authorized operations against A-Team tenant resources; no hidden credential exfiltration found
Mechanism
authenticated MCP API proxy and deployment/admin client
Rationale
Static inspection shows a package-aligned MCP server that forwards user-provided or environment A-Team credentials to A-Team/Core endpoints for explicit tools, with no lifecycle execution, hidden harvesting, persistence, or unconsented agent control-surface mutation. Scanner exfiltration hints appear to be noisy matches on legitimate API-key authentication and network client code.
Evidence
package.jsonsrc/index.jssrc/server.jssrc/http.jssrc/oauth.jssrc/api.jssrc/tools.js.env.exampleREADME.md
Network endpoints5
api.ateam-ai.commcp.ateam-ai.comapp.ateam-ai.com/builder/?show=api-keyateam-ai.comadas-backend:4000

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/tools.js exposes powerful authenticated tenant operations including deploy, patch, delete, notification, and GitHub patch tools.
  • src/tools.js ateam_auth accepts api_key/master_key and optional url override, then forwards credentials through src/api.js headers.
  • src/tools.js has user-supplied URL fetching in ateam_upload_connector_files.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; main/bin only start the MCP server.
  • src/api.js sends ADAS_API_KEY/master_key as auth headers to configured A-Team API endpoints; this is core package functionality, not hidden harvesting.
  • src/tools.js gates tenant-aware operations behind explicit ateam_auth and validates/derives tenant instead of silently using env credentials.
  • src/index.js only starts stdio or optional HTTP transport; no import-time exfiltration or persistence observed.
  • No child_process, eval/vm/Function, native binary loading, destructive local filesystem writes, or AI-agent config mutation found.
  • OAuth/API-key flows in src/oauth.js and src/http.js are explicit server auth surfaces for the MCP service.
Behavioral surface
Source
CryptoEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 262 KB of source, external domains: 127.0.0.1, api.ateam-ai.com, app.ateam-ai.com, ateam-ai.com, chatgpt.com, claude.ai, claude.com, dev-api.ateam-ai.com, mcp.ateam-ai.com

Source & flagged code

2 flagged · loading source
src/tools.jsView file
51// Transient — keep polling. Log at debug level if requested. L52: if (process.env.MCP_DEBUG_POLLS) console.warn(`[pollDeployJob:${label}] poll error (will retry): ${err.message}`); L53: } ... L189: description: L190: "Authenticate with A-Team. Required before any tenant-aware operation (reading solutions, deploying, testing, etc.). The user can get their API key at https://mcp.ateam-ai.com/get-... L191: inputSchema: { ... L411: }, L412: metadata: { L413: type: "object", ... L723: description: L724: "Scaffold a new MCP connector with server.js + package.json + README. " + L725: "Eliminates ~50% of identical boilerplate (MCP server setup, tool registration, " +
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

src/tools.jsView on unpkg · L51
51Trigger-reachable chain: manifest.main -> src/index.js -> src/server.js -> src/tools.js L51: // Transient — keep polling. Log at debug level if requested. L52: if (process.env.MCP_DEBUG_POLLS) console.warn(`[pollDeployJob:${label}] poll error (will retry): ${err.message}`); L53: } ... L189: description: L190: "Authenticate with A-Team. Required before any tenant-aware operation (reading solutions, deploying, testing, etc.). The user can get their API key at https://mcp.ateam-ai.com/get-... L191: inputSchema: { ... L411: }, L412: metadata: { L413: type: "object", ... L723: description: L724: "Scaffold a new MCP connector with server.js + package.json + README. " + L725: "Eliminates ~50% of identical boilerplate (MCP server setup, tool registration, " +
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/tools.jsView on unpkg · L51

Findings

2 Critical3 Medium3 Low
CriticalCredential Exfiltrationsrc/tools.js
CriticalTrigger Reachable Dangerous Capabilitysrc/tools.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings