registry  /  @embrasure/cli  /  0.1.5

@embrasure/cli@0.1.5

Set up Embrasure MCP for Claude Code, Codex, Cursor, and data agents.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `embrasure setup`, `embrasure auth`, `embrasure mcp serve`, or other CLI subcommands.
Impact
Can configure local agents to run the Embrasure MCP bridge and send MCP frames to Embrasure with the user's Embrasure token; no confirmed malicious behavior.
Mechanism
Explicit CLI-driven MCP setup and Embrasure API/MCP proxying
Rationale
Static inspection found a legitimate Embrasure CLI with explicit agent MCP setup and credential/network behavior aligned to its documented purpose. Because it mutates AI-agent control surfaces only after a user command, this warrants warning rather than blocking.
Evidence
package.jsondist/index.jsREADME.md~/.embrasure/config.json~/.embrasure/refresh-token~/.cursor/mcp.jsonembrasure.pipeline.yamlmetabase report path from --reportshell completion install paths
Network endpoints5
api.embrasure.aiembrasure.aiembrasure.ai/api/mcp/embrasureregistry.npmjs.org/@embrasure%2fcli/latestuser-supplied Metabase URL

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/index.js defines `embrasure setup` that can add MCP entries to Claude, Codex, or Cursor config.
  • dist/index.js writes Cursor MCP config at `~/.cursor/mcp.json` and invokes `claude mcp add-json` / `codex mcp add`.
  • MCP entry runs `npx -y @embrasure/cli@latest mcp serve`, giving an agent a user-approved Embrasure bridge.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Agent config mutation is behind explicit `embrasure setup`, not install-time or import-time execution.
  • Network use is package-aligned: Embrasure auth/API/MCP endpoints, npm update check, or user-supplied Metabase URL.
  • Credential handling stores Embrasure tokens in system credential store or `~/.embrasure/config.json` and masks output.
  • No eval/vm/dynamic payload loading, destructive behavior, persistence, or broad credential harvesting found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 1 file(s), 151 KB of source, external domains: 127.0.0.1, api.embrasure.ai, embrasure.ai

Source & flagged code

2 flagged · loading source
dist/index.jsView file
3// src/program.ts L4: import { spawnSync } from "node:child_process"; L5: import { access, mkdir as mkdir2, readFile as readFile5, writeFile as writeFile3 } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L3
629import { createHash, randomBytes } from "node:crypto"; L630: import { spawn as spawn2 } from "node:child_process"; L631: import { createServer } from "node:http"; L632: import { hostname, platform } from "node:os"; ... L636: var defaultWriter = { L637: stdout: process.stdout, L638: stderr: process.stderr ... L640: function writeJson(writer, value) { L641: writer.stdout.write(`${JSON.stringify(value, null, 2)} L642: `);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L629

Findings

3 High2 Medium6 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License