registry  /  @elkindev/dbgraph  /  1.1.1

@elkindev/dbgraph@1.1.1

Database schema graph for AI agents — index your database catalog into a local graph, served over MCP

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `dbgraph install` (optionally `--project`).
Impact
Future AI-agent sessions may invoke the registered dbgraph MCP server.
Mechanism
Explicit MCP agent configuration mutation.
Rationale
Source inspection confirms an explicit-user agent setup capability, not unconsented installation-time behavior. Dynamic database-driver loading and child-process probes are package-aligned; warn for the broad agent configuration mutation.
Evidence
package.jsondist/cli.jsdist/mcp.jsdist/index.jsdist/open-WLBPYZLW.js.mcp.json.cursor/mcp.json.gemini/settings.json.vscode/mcp.jsonopencode.json.codex/config.toml

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • dist/cli.js implements explicit `dbgraph install` config mutation.
  • The command writes MCP entries invoking `npx -y -p @elkindev/dbgraph dbgraph-mcp`.
  • Target configs include Claude, Cursor, Gemini, VS Code, opencode, and Codex.
  • dist/mcp.js starts an MCP server only when its bin is invoked.
Evidence against
  • package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
  • CLI startup is guarded by a direct-bin invocation check.
  • Agent-config writes require the explicit `install` command.
  • No package-owned credential exfiltration endpoint was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 4.47 MB of source, external domains: 169.254.169.254, d3js.org, github.com, jira.mongodb.org, learn.microsoft.com, login.chinacloudapi.cn, login.microsoftonline.com, login.microsoftonline.de, login.microsoftonline.us, sidorares.github.io, tools.ietf.org, vault.azure.net, www.mongodb.com, www.npmjs.com, www.postgresql.org
Oversized source lightweight scan
dist/index.cjs5.59 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringslearn.microsoft.comlogin.chinacloudapi.cnlogin.microsoftonline.comlogin.microsoftonline.delogin.microsoftonline.uswww.npmjs.com
dist/tedious-3WZBQM6C.js2.28 MB file, sampled 256 KB
ChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsgithub.comlogin.chinacloudapi.cnlogin.microsoftonline.comlogin.microsoftonline.delogin.microsoftonline.us

Source & flagged code

8 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @elkindev/dbgraph@1.1.0 matchedIdentity = npm:QGVsa2luZGV2L2RiZ3JhcGg:1.1.0 similarity = 0.765 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
3160}, L3161: exec(sql) { L3162: db.exec(sql);
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L3160
316Cross-file remote execution chain: dist/index.js spawns dist/lib-UM52B2AB.js; helper contains network access plus dynamic code execution. L316: } L317: function resolveSecrets(cfg, envMap = process.env) { L318: switch (cfg.dialect) { ... L398: const configPath = join(projectRoot, "dbgraph.config.json"); L399: const rawJson = JSON.parse(readFileSync(configPath, "utf-8")); L400: const cfg = parseConfig(rawJson); ... L565: bodyHash: null, L566: ftsBody: "", L567: ...comment !== void 0 ? { comment } : {} ... L3160: }, L3161: exec(sql) { L3162: db.exec(sql);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L316
389try { L390: const sea = createRequire(process.execPath)("node:sea"); L391: return typeof sea.isSea === "function" ? sea.isSea() : false;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L389
316} L317: function resolveSecrets(cfg, envMap = process.env) { L318: switch (cfg.dialect) { ... L398: const configPath = join(projectRoot, "dbgraph.config.json"); L399: const rawJson = JSON.parse(readFileSync(configPath, "utf-8")); L400: const cfg = parseConfig(rawJson); ... L565: bodyHash: null, L566: ftsBody: "", L567: ...comment !== void 0 ? { comment } : {} ... L3160: }, L3161: exec(sql) { L3162: db.exec(sql);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L316
dist/open-WLBPYZLW.jsView file
95import fs4, { constants as fsConstants } from "fs/promises"; L96: var wslDrivesMountPoint, powerShellPathFromWsl, powerShellPath; L97: var init_wsl_utils = __esm({
High
Shell

Package source references shell execution.

dist/open-WLBPYZLW.jsView on unpkg · L95
dist/lib-UM52B2AB.jsView file
83array: 4, L84: binData: 5, L85: undefined: 6, ... L141: }; L142: var TextDecoderFatal; L143: var TextDecoderNonFatal; ... L321: const { console: console2 } = globalThis; L322: console2?.warn?.("BSON: For React Native please polyfill crypto.getRandomValues, e.g. using: https://www.npmjs.com/package/react-native-get-random-values."); L323: } ... L10211: function resolveLogPath({ MONGODB_LOG_PATH }, { mongodbLogPath }) { L10212: if (typeof mongodbLogPath === "string" && /^stderr$/i.test(mongodbLogPath)) { L10213: return { mongodbLogPath: createStdioLogger(process.stderr), mongodbLogPathIsStdErr: true };
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/lib-UM52B2AB.jsView on unpkg · L83
dist/tedious-3WZBQM6C.jsView file
path = dist/tedious-3WZBQM6C.js kind = oversized_source_file sizeBytes = 2395661 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/tedious-3WZBQM6C.jsView on unpkg

Findings

1 Critical5 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShelldist/open-WLBPYZLW.js
HighCloud Metadata Accessdist/lib-UM52B2AB.js
HighCross File Remote Execution Contextdist/index.js
HighOversized Source Filedist/tedious-3WZBQM6C.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings