registry  /  @coldiq/mcp  /  0.3.24

@coldiq/mcp@0.3.24

An [MCP (Model Context Protocol)](https://modelcontextprotocol.io) server that exposes ColdIQ's B2B data marketplace to AI assistants. Connect it to Claude or any MCP-compatible client to search companies, find and enrich contacts, verify emails, track sa

AI Security Review

scanned 6d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs coldiq-mcp and invokes MCP tools such as load_skill or data search/enrichment tools.
Impact
User-supplied prospecting/search inputs and the configured ColdIQ API key are sent to the configured ColdIQ API; remote skill text can influence the calling agent when requested.
Mechanism
stdio MCP server proxies user requests to ColdIQ API and fetches remote ColdIQ skill playbooks
Policy narrative
At runtime the package runs as a stdio MCP server. Tool handlers call ColdIQ API endpoints using COLDIQ_API_KEY, and list_skills/load_skill fetch a ColdIQ GitHub raw skill catalog and playbook bodies for the agent to read. I found no install-time execution, persistence, credential harvesting beyond the intended API key use, filesystem mutation, or broad agent control-surface writes.
Rationale
The package has dangerous agent-facing capability because it can deliver remote skill instructions into an MCP client, but this is explicit runtime functionality and not an unconsented lifecycle hijack. Source inspection supports a warning rather than a publish block.
Evidence
package.jsonsrc/index.tssrc/client.tssrc/skills.tssrc/tools/load-skill.tssrc/tools/list-skills.tssrc/executor.ts
Network endpoints2
api.coldiq.comraw.githubusercontent.com/Cold-IQ/coldiq-marketplace-skills/main/.well-known/agent-skills/index.json

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/skills.ts fetches a remote skills index from raw.githubusercontent.com and load_skill returns remote playbook text to the agent.
  • src/skills.ts allows COLDIQ_SKILLS_INDEX_URL to override the skills catalog URL.
  • src/client.ts sends tool requests with COLDIQ_API_KEY Authorization to configured API base URL.
Evidence against
  • package.json has no install/postinstall/preinstall hook; prepublishOnly is publish-time build only.
  • src/index.ts only starts a stdio MCP server and registers ColdIQ tools when the bin is run.
  • No source writes agent config files, home/project files, shell startup files, VCS hooks, or MCP/Claude/Codex settings.
  • No child_process, eval/Function, dynamic native/binary loading, or destructive filesystem behavior found.
  • Network behavior is package-aligned: ColdIQ API calls and user-invoked skill catalog fetches.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 160 file(s), 1.07 MB of source, external domains: agfundernews.com, api.coldiq.com, api.companyenrich.com, api.peopledatalabs.com, apiv2.leadsfactory.io, app.fullenrich.com, apple.com, coldiq.com, example.com, fintech.global, images.trysignalbase.com, linkedin.com, maps.google.com, microsoft.com, mistral.ai, raw.example, raw.githubusercontent.com, reddit.com, schemas.agentskills.io, sumble.com, techcrunch.com, test-api.local, twitter.com, wework.com, www.coldiq.com, www.google.com, www.linkedin.com, www.reddit.com

Source & flagged code

1 flagged · loading source
tests/skills.test.ts#virtual:normalized:round1View file
44afterEach(() => { L45: globalThis.fetch = originalFetch L46: vi.restoreAllMocks() ... L49: it('listSkills returns name + description from the index', async () => { L50: globalThis.fetch = mockFetch({ L51: 'https://raw.githubusercontent.com/Cold-IQ/coldiq-marketplace-skills/main/.well-known/agent-skills/index.json': { L52: body: JSON.stringify(INDEX), L53: },
Critical
Builtin Api Tampering Exfiltration

Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

tests/skills.test.ts#virtual:normalized:round1View on unpkg · L44

Findings

1 Critical2 Medium6 Low
CriticalBuiltin Api Tampering Exfiltrationtests/skills.test.ts#virtual:normalized:round1
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License