registry  /  @augno/sdk-mcp  /  0.12.4

@augno/sdk-mcp@0.12.4

The official MCP Server for the Augno API

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious install-time, import-time, or persistence behavior was found. The main risk surface is an explicit MCP execute tool that evaluates user-provided TypeScript against the Augno SDK in a Deno worker with limited network permissions.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs mcp-server or imports/initializes the MCP server, then a connected MCP client calls the execute tool.
Impact
Could perform Augno API actions authorized by the user's supplied credentials, but inspection found no hidden exfiltration, destructive package behavior, or unconsented agent control mutation.
Mechanism
User-invoked MCP server with local Deno code execution for Augno SDK calls.
Rationale
The suspicious primitives are aligned with an MCP API server: runtime headers/env configure credentials, and dynamic code execution is exposed as an explicit execute tool rather than install/import-time code. There is no evidence of credential harvesting beyond user-provided API keys, external exfiltration, lifecycle script abuse, broad AI-agent config mutation, persistence, or destructive behavior.
Evidence
package.jsonsrc/index.tssrc/options.tssrc/server.tssrc/http.tssrc/auth.tssrc/code-tool.tssrc/code-tool-worker.tssrc/instructions.tssrc/util.tssrc/code-tool-paths.cts
Network endpoints2
github.com/stainless-api/jq-web/releases/download/v0.8.8/jq-web.tar.gzlocalhost

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall scripts; only build/test/lint/format/fix scripts are present.
    • index.ts/index.js only starts an MCP server when run as the bin/main module, choosing stdio or HTTP transport from CLI options.
    • src/code-tool.ts runs user-supplied code only through the MCP execute tool and restricts Deno worker network to the SDK client baseURL hostname.
    • src/code-tool-worker.ts dynamically imports a data: TypeScript module from the execute tool input, then calls run(client); this is declared package functionality.
    • src/http.ts accepts API keys/env overrides from explicit request headers and redacts auth/key/token/env headers in logs.
    • src/instructions.ts reads only an optional user-supplied custom instructions file; no AI-agent config writes or persistence files found.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 44 file(s), 328 KB of source, external domains: deno.land

    Source & flagged code

    4 flagged · loading source
    instructions.jsView file
    7exports.getInstructions = getInstructions; L8: const promises_1 = __importDefault(require("fs/promises")); L9: const logger_1 = require("./logger.js");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    instructions.jsView on unpkg · L7
    package.jsonView file
    scripts registry_only=start
    Critical
    Manifest Confusion

    Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

    package.jsonView on unpkg
    Remote tarball dependency specs: jq-web@https://github.com/stainless-api/jq-web/releases/download/v0.8.8/jq-web.tar.gz
    Medium
    Remote Tarball Dependency

    Package manifest contains a dependency pinned to a remote tarball URL.

    package.jsonView on unpkg
    code-tool-worker.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @augno/sdk-mcp@0.11.0 matchedIdentity = npm:QGF1Z25vL3Nkay1tY3A:0.11.0 similarity = 0.930 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    code-tool-worker.jsView on unpkg

    Findings

    1 Critical1 High4 Medium3 Low
    CriticalManifest Confusionpackage.json
    HighPrevious Version Dangerous Deltacode-tool-worker.js
    MediumDynamic Requireinstructions.js
    MediumNetwork
    MediumEnvironment Vars
    MediumRemote Tarball Dependencypackage.json
    LowScripts Present
    LowFilesystem
    LowUrl Strings