registry  /  @everystack/mcp  /  0.3.0

@everystack/mcp@0.3.0

Governance layer that governs how any agent builds everystack — grounding, cheat gates, and Model-aware tooling over MCP

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an MCP governance server with optional Claude Code hooks and a user-invoked environment-check tool; risky primitives are aligned with those advertised functions.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs everystack-mcp, invokes MCP prompts/tools, or explicitly installs governance hooks.
Impact
May deny Claude Code tool calls and write local governance state/telemetry only after user-configured hooks; no evidence of covert persistence, harvesting, or exfiltration.
Mechanism
Local MCP guidance, optional hook gate, and local prerequisite/version checks
Rationale
Static inspection found no lifecycle execution, covert network behavior, credential harvesting, or unconsented AI-agent control-surface mutation. The scanner findings map to documented MCP governance behavior, local telemetry/state, benign bundled dependency eval patterns, and documentation examples.
Evidence
package.jsonsrc/index.tssrc/tools/check-environment.tssrc/governance/cli.tssrc/governance/grounding.tssrc/gates/telemetry.tssrc/prompts/governance-setup.tsdist/aws-setup.md~/.everystack/governance/grounding/*.json~/.everystack/governance/*.jsonl

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/governance/grounding.ts writes local hook state under ~/.everystack/governance/grounding when user installs hooks.
  • src/gates/telemetry.ts appends local JSONL telemetry with rule/path metadata under ~/.everystack/governance.
  • src/tools/check-environment.ts uses execSync for version probes including node, pnpm, git, npx expo, npx sst, aws, psql.
Evidence against
  • package.json has no lifecycle scripts; bin is explicit CLI ./dist/index.cjs.
  • src/index.ts starts a stdio MCP server or explicit governance subcommand; no install/import-time payload.
  • src/index.ts and src/prompts/governance-setup.ts repeatedly require showing hook commands and human confirmation before editing .claude/settings.json.
  • No credential contents are read or exfiltrated; AWS check only tests existence of ~/.aws credentials/config.
  • No package-controlled network exfiltration endpoints found; URLs are documentation/setup guidance.
  • dist/aws-setup.md secret-looking values are AWS documentation examples ending EXAMPLE/EXAMPLEKEY.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 26 file(s), 969 KB of source, external domains: aws.amazon.com, awscli.amazonaws.com, git-scm.com, github.com, json-schema.org, nodejs.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.postgresql.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/aws-setup.mdView file
216patternName = aws_access_key severity = critical line = 216 matchedText = - **Acce...LE`)
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/aws-setup.mdView on unpkg · L216
216patternName = aws_access_key severity = critical line = 216 matchedText = - **Acce...LE`)
Critical
Secret Pattern

AWS access key ID in dist/aws-setup.md

dist/aws-setup.mdView on unpkg · L216
dist/index.cjsView file
21725// src/tools/check-environment.ts L21726: var import_node_child_process = require("node:child_process"); L21727: var import_node_fs2 = require("node:fs");
High
Child Process

Package source references child process execution.

dist/index.cjsView on unpkg · L21725
1229Cross-file remote execution chain: dist/index.cjs spawns src/resources/index.ts; helper contains network access plus dynamic code execution. L1229: // validation function arguments L1230: data: new codegen_1.Name("data"), L1231: // data passed to validation function ... L2256: id = normalizeId(id); L2257: return resolver.resolve(baseId, id); L2258: } ... L3119: for (i = 0; i < input.length; i++) { L3120: code = input[i].charCodeAt(0); L3121: if (code === 48) { ... L6940: } L6941: function classifyPrivateEnvKeys(keys, source) { L6942: return keys.filter((k) => !isPublicEnvKey(k)).map((k) => ({
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.cjsView on unpkg · L1229
21553try { L21554: return globalThis.__dirname || eval("__dirname"); L21555: } catch {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.cjsView on unpkg · L21553
src/resources/aws-setup.mdView file
216patternName = aws_access_key severity = critical line = 216 matchedText = - **Acce...LE`)
Critical
Secret Pattern

AWS access key ID in src/resources/aws-setup.md

src/resources/aws-setup.mdView on unpkg · L216

Findings

3 Critical3 High1 Medium6 Low
CriticalCritical Secretdist/aws-setup.md
CriticalSecret Patterndist/aws-setup.md
CriticalSecret Patternsrc/resources/aws-setup.md
HighChild Processdist/index.cjs
HighShell
HighCross File Remote Execution Contextdist/index.cjs
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License