AI Security Review
scanned 15d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an A-Team MCP server whose network and credential handling are aligned with explicit authentication and user-invoked deployment/admin tools.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs ateam-mcp/node src/index.js and invokes MCP tools.
Impact
User-authorized operations against A-Team tenant resources; no hidden credential exfiltration found
Mechanism
authenticated MCP API proxy and deployment/admin client
Rationale
Static inspection shows a package-aligned MCP server that forwards user-provided or environment A-Team credentials to A-Team/Core endpoints for explicit tools, with no lifecycle execution, hidden harvesting, persistence, or unconsented agent control-surface mutation. Scanner exfiltration hints appear to be noisy matches on legitimate API-key authentication and network client code.
Evidence
package.jsonsrc/index.jssrc/server.jssrc/http.jssrc/oauth.jssrc/api.jssrc/tools.js.env.exampleREADME.md
Network endpoints5
api.ateam-ai.commcp.ateam-ai.comapp.ateam-ai.com/builder/?show=api-keyateam-ai.comadas-backend:4000
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- src/tools.js exposes powerful authenticated tenant operations including deploy, patch, delete, notification, and GitHub patch tools.
- src/tools.js ateam_auth accepts api_key/master_key and optional url override, then forwards credentials through src/api.js headers.
- src/tools.js has user-supplied URL fetching in ateam_upload_connector_files.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; main/bin only start the MCP server.
- src/api.js sends ADAS_API_KEY/master_key as auth headers to configured A-Team API endpoints; this is core package functionality, not hidden harvesting.
- src/tools.js gates tenant-aware operations behind explicit ateam_auth and validates/derives tenant instead of silently using env credentials.
- src/index.js only starts stdio or optional HTTP transport; no import-time exfiltration or persistence observed.
- No child_process, eval/vm/Function, native binary loading, destructive local filesystem writes, or AI-agent config mutation found.
- OAuth/API-key flows in src/oauth.js and src/http.js are explicit server auth surfaces for the MCP service.
Behavioral surface
CryptoEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/tools.jsView file
51// Transient — keep polling. Log at debug level if requested.
L52: if (process.env.MCP_DEBUG_POLLS) console.warn(`[pollDeployJob:${label}] poll error (will retry): ${err.message}`);
L53: }
...
L189: description:
L190: "Authenticate with A-Team. Required before any tenant-aware operation (reading solutions, deploying, testing, etc.). The user can get their API key at https://mcp.ateam-ai.com/get-...
L191: inputSchema: {
...
L411: },
L412: metadata: {
L413: type: "object",
...
L723: description:
L724: "Scaffold a new MCP connector with server.js + package.json + README. " +
L725: "Eliminates ~50% of identical boilerplate (MCP server setup, tool registration, " +
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
src/tools.jsView on unpkg · L5151Trigger-reachable chain: manifest.main -> src/index.js -> src/server.js -> src/tools.js
L51: // Transient — keep polling. Log at debug level if requested.
L52: if (process.env.MCP_DEBUG_POLLS) console.warn(`[pollDeployJob:${label}] poll error (will retry): ${err.message}`);
L53: }
...
L189: description:
L190: "Authenticate with A-Team. Required before any tenant-aware operation (reading solutions, deploying, testing, etc.). The user can get their API key at https://mcp.ateam-ai.com/get-...
L191: inputSchema: {
...
L411: },
L412: metadata: {
L413: type: "object",
...
L723: description:
L724: "Scaffold a new MCP connector with server.js + package.json + README. " +
L725: "Eliminates ~50% of identical boilerplate (MCP server setup, tool registration, " +
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
src/tools.jsView on unpkg · L51Findings
2 Critical3 Medium3 Low
CriticalCredential Exfiltrationsrc/tools.js
CriticalTrigger Reachable Dangerous Capabilitysrc/tools.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings