registry  /  @contextium/mcp-server  /  1.8.1

@contextium/mcp-server@1.8.1

MCP server for Contextium — pipe team SOPs, coding standards, and AI context directly into Claude, Cursor, and other AI coding assistants

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package is an MCP server/CLI that can explicitly configure first-party Contextium entries in Claude clients and call Contextium APIs with the user's token.

Static reason
No blocking static signals were detected.
Trigger
User runs contextium-mcp-server setup or invokes MCP/CLI tools
Impact
Adds Contextium MCP config/permissions and enables user-authorized Contextium resource operations
Mechanism
explicit first-party MCP setup and authenticated API client
Rationale
Static inspection found explicit user-command agent/client configuration and broad package-owned Claude Code allow-listing, but no install-time mutation, stealth, unrelated exfiltration, or remote payload execution. This fits a warning-level first-party agent extension lifecycle risk rather than malware.
Evidence
package.jsondist/index.jsdist/cli/setup.jsdist/cli/config-manager.jsdist/cli/credentials.jsdist/api-client.jsdist/server.jsdist/auth/verify-token.jsdist/tools/connectors.js~/.contextium/credentials.json~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%/Claude/claude_desktop_config.json~/.config/Claude/claude_desktop_config.json.mcp.json~/.claude/settings.json
Network endpoints2
api.contextium.io/api/v1mcp.contextium.io/sse

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/setup.js setup command can update Claude Desktop and Claude Code MCP configs after user invocation/auth flow.
  • dist/cli/config-manager.js writes Claude Desktop config, project .mcp.json, and ~/.claude/settings.json allow rule mcp__contextium__*.
  • dist/api-client.js exposes authenticated create/update/delete operations against Contextium API and brokered connector_request capability.
Evidence against
  • package.json has no install/preinstall/postinstall hook; only prepublishOnly build.
  • dist/index.js only runs CLI commands or stdio MCP server when invoked via bin/main.
  • Network calls are Contextium-aligned API/MCP endpoints or user-provided --api-url.
  • No child_process, eval/vm/Function, native binary loading, credential harvesting, or unrelated exfiltration found.
  • Credentials are saved locally under ~/.contextium/credentials.json with mode 0600.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 76 file(s), 437 KB of source, external domains: api.contextium.io, mcp.contextium.io

Source & flagged code

3 flagged · loading source
dist/cli/setup.jsView file
Published source reference
Medium
Ai Review Evidence

dist/cli/setup.js setup command can update Claude Desktop and Claude Code MCP configs after user invocation/auth flow.

dist/cli/setup.jsView on unpkg
dist/cli/config-manager.jsView file
Published source reference
Medium
Ai Review Evidence

dist/cli/config-manager.js writes Claude Desktop config, project .mcp.json, and ~/.claude/settings.json allow rule mcp__contextium__*.

dist/cli/config-manager.jsView on unpkg
dist/api-client.jsView file
Published source reference
Medium
Ai Review Evidence

dist/api-client.js exposes authenticated create/update/delete operations against Contextium API and brokered connector_request capability.

dist/api-client.jsView on unpkg

Findings

5 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/cli/setup.js
MediumAi Review Evidencedist/cli/config-manager.js
MediumAi Review Evidencedist/api-client.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings