registry  /  @ceraph/react-native-mcp  /  0.5.0

@ceraph/react-native-mcp@0.5.0

MCP server for React Native and Expo development workflow

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs npx @ceraph/react-native-mcp init, starts the MCP server, or calls ceraph_init_* tools.
Impact
Adds a powerful local MCP server to agent clients and can control a dev app/device within the documented React Native workflow.
Mechanism
Explicit MCP client setup, auth token persistence, local dev signal polling, and iOS automation commands.
Rationale
Static inspection supports a warning for explicit user-command AI-agent config mutation and powerful local automation, not a publish block. The scanner's install-time and obfuscation signals are real but do not show unconsented postinstall mutation, exfiltration, or remote code execution.
Evidence
package.jsonREADME.mddist/index.jsdist/cli.jsdist/shim/boot.jsdist/shim/command-poll.jsdist/shim/signal-transport.jsdist/babel-plugin/index.js.mcp.json.cursor/mcp.json.codex/config.toml.vscode/mcp.json.claude/settings.local.json~/.ceraph/auth.json.rn-errors.json.gitignore.ceraph/
Network endpoints4
ceraph.devceraph.dev/cli-auth<CERAPH_SIGNAL_HOST>:8101/signal<CERAPH_SIGNAL_HOST>:8101/commands

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js auto-starts an MCP server unless CERAPH_NO_AUTOSTART=1.
  • dist/index.js exposes ceraph_init_setup_mcp_clients to write .mcp.json, .cursor/mcp.json, .codex/config.toml, .vscode/mcp.json, and .claude/settings.local.json preapproval.
  • dist/index.js ceraph_init_auth_browser persists pasted/browser token to ~/.ceraph/auth.json.
  • dist/shim/command-poll.js polls http://<host>:8101/commands and can run reset/reload/hook/fiber commands in __DEV__ apps.
  • dist files are intentionally obfuscated, raising audit difficulty.
Evidence against
  • package.json postinstall only prints setup instructions and has no config mutation or network call.
  • README.md documents init, MCP client config writes, Claude hook setup, auth token storage, and uninstall behavior.
  • dist/shim/boot.js gates runtime instrumentation on __DEV__.
  • dist/babel-plugin/index.js only injects deterministic testID attributes when not production.
  • Network endpoints found are package-aligned Ceraph auth/pro features or local dev endpoints.
  • No evidence of credential harvesting, stealth persistence, destructive install-time behavior, or remote payload loading.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
MinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 1.12 MB of source, external domains: 127.0.0.1

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{var e=process.env;if(e.CI||e.CERAPH_SKIP_POSTINSTALL||require('fs').existsSync(process.cwd()+'/../../pnpm-workspace.yaml'))process.exit(0);process.stderr.write('\n[@ce...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{var e=process.env;if(e.CI||e.CERAPH_SKIP_POSTINSTALL||require('fs').existsSync(process.cwd()+'/../../pnpm-workspace.yaml'))process.exit(0);process.stderr.write('\n[@ce...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/index.jsView file
1#!/usr/bin/env node L2: const _0x2a5a1e=_0x3342;(function(_0x3162e2,_0x306c63){const _0x5af676=_0x3342,_0x15cf14=_0x3162e2();while(!![]){try{const _0x119f3e=parseInt(_0x5af676(0x594))/0x1*(-parseInt(_0x5a...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x2a5a1e=_0x3342;(function(_0x3162e2,_0x306c63){const _0x5af676=_0x3342,_0x15cf14=_0x3162e2();while(!![]){try{const _0x119f3e=parseInt(_0x5af676(0x594))/0x1*(-parseInt(_0x5a...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
dist/babel-plugin/index.cjsView file
1'use strict';const _0x304ea9=_0x3295;(function(_0x59ca79,_0x6d07f7){const _0x48b525=_0x3295,_0x41ebe6=_0x59ca79();while(!![]){try{const _0x2f35a2=parseInt(_0x48b525(0xd8))/0x1*(-pa...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/babel-plugin/index.cjsView on unpkg · L1
dist/babel-plugin/index.jsView file
1const _0x2eb26f=_0x40e6;(function(_0x1515a4,_0x28e41c){const _0x30b84d=_0x40e6,_0x2a1e23=_0x1515a4();while(!![]){try{const _0x2a7c62=parseInt(_0x30b84d(0xfd))/0x1*(-parseInt(_0x30b...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/babel-plugin/index.jsView on unpkg · L1

Findings

1 Critical5 High4 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighObfuscated Payload Loaderdist/babel-plugin/index.js
HighObfuscated
MediumDynamic Requiredist/babel-plugin/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings