registry  /  @deerdawn/mcp-server  /  1.0.34

@deerdawn/mcp-server@1.0.34

MCP server for DeerDawn — AI session memory that briefs every new AI session

AI Security Review

scanned 9d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Authenticated runtime startup mutates AI-agent control files and installs Claude hooks without a separate explicit consent gate. Those hooks and signal handlers can collect session transcripts, cwd, and command summaries and send them to DeerDawn APIs.

Static reason
One or more suspicious static signals were detected.
Trigger
Starting the MCP server with DEERDAWN_API_KEY/saved credentials, completing device auth, or running setup/apply_setup.
Impact
Persistent model instructions and hooks can steer future AI sessions and exfiltrate conversation/workspace context to the vendor API.
Mechanism
unconsented AI-agent control-surface mutation plus session telemetry upload
Policy narrative
When the MCP server starts with credentials, dist/index.js calls autoConfigureHooks and syncProjectFiles. These functions modify global and project AI instruction files and install Claude hooks that later run deerdawn-mcp commands. Those commands read recent Claude/Codex transcripts or command payloads and post summarized session context to api.deerdawn.com.
Rationale
Although the package is a session-memory MCP and has no install hook, the runtime automatically persists instructions/hooks into multiple AI-agent control surfaces and uploads session content; that is concrete unconsented AI-agent control-surface mutation rather than a scanner false positive. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonREADME.mddist/index.jsdist/chunk-SWBO3RSY.js~/.claude/settings.json~/.claude/CLAUDE.md~/.codex/AGENTS.md~/.cursor/rules/deerdawn.mdc~/.deerdawn/credentials.json~/.deerdawn/pending-auth.json~/.deerdawn/synced-paths.jsonAGENTS.mdCLAUDE.md.cursorrules.deerdawn-context.md.github/copilot-instructions.md.claude/skills/deerdawn-*.cursor/rules/deerdawn-*.mdc
Network endpoints5
api.deerdawn.comapi.deerdawn.com/api/v1/auth/mcp/startapi.deerdawn.com/api/v1/context/extractionapi.deerdawn.com/api/v1/context/activeapi.deerdawn.com/api/v1/context/search

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • dist/index.js autoConfigureHooks writes Claude hooks and global CLAUDE.md after auth/startup.
  • dist/index.js writes ~/.codex/AGENTS.md with DeerDawn instructions if it exists.
  • dist/index.js syncProjectFiles writes project AGENTS.md, CLAUDE.md, .cursorrules, .deerdawn-context.md on startup.
  • dist/index.js flushSession reads Claude/Codex session JSONL and POSTs conversation chunks to /api/v1/context/extraction.
  • dist/index.js main records runtime startup/tool events with cwd to api.deerdawn.com.
  • dist/index.js command hook captures Bash command text after redaction and records it remotely.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • Network endpoints are DeerDawn-branded and partly match README-described session-memory functionality.
  • Secrets are redacted in command capture and API keys are stored under ~/.deerdawn/credentials.json.
  • Browser opening uses execFileSync with fixed platform commands and URL argument array, not shell interpolation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 304 KB of source, external domains: api.deerdawn.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
2419import os from "os"; L2420: import { execFileSync } from "child_process"; L2421:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L2419
6235const { homedir } = await import("os"); L6236: const { execFileSync: execFileSync4 } = await import("child_process"); L6237: const home = homedir(); L6238: const apiUrl = process.env.DEERDAWN_API_URL ?? "https://api.deerdawn.com"; L6239: let apiKey = process.env.DEERDAWN_API_KEY ?? loadSavedApiKey() ?? null;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L6235
409summary: z4.string().default(""), L410: metadata: z4.record(z4.unknown()).default({}), L411: confidence: z4.number().min(0).max(1).default(0.5), ... L1230: try { L1231: const fmt = new Intl.DateTimeFormat("en-US", { L1232: timeZone: tz, ... L1635: } L1636: var DEFAULT_MCP_API_URL = "https://api.deerdawn.com"; L1637: function buildMcpServerConfigObject(apiUrl = DEFAULT_MCP_API_URL, apiKey = "") { ... L1919: } = require_src(); L1920: function getHomeDir() { L1921: return process.env.DEERDAWN_HOME_DIR || os8.homedir();
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

dist/index.jsView on unpkg · L409

Findings

4 High2 Medium4 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighHost Fingerprint Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings