registry  /  @everystack/mcp  /  0.3.2

@everystack/mcp@0.3.2

Governance layer that governs how any agent builds everystack — grounding, cheat gates, and Model-aware tooling over MCP

AI Security Review

scanned 54m ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an MCP server plus optional Claude Code governance hook shim. Risk is first-party agent hook setup and local hook state/telemetry if a user deliberately installs the suggested hooks; no install-time or import-time attack behavior is confirmed.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs everystack-mcp as an MCP server or explicitly installs/runs generated Claude Code hooks
Impact
Can influence/deny agent tool use in projects where hooks are manually installed; otherwise provides guidance and local prerequisite checks.
Mechanism
MCP resources/tools/prompts and optional local governance hook CLI
Rationale
Static inspection shows an explicit user-command agent extension lifecycle risk, but no unconsented install-time mutation, credential theft, remote payload execution, or destructive behavior. The suspicious scanner hits align with documented MCP/governance functionality and placeholder documentation.
Evidence
package.jsonsrc/index.tssrc/prompts/governance-setup.tssrc/governance/cli.tssrc/governance/grounding.tssrc/gates/telemetry.tssrc/tools/check-environment.tssrc/resources/index.tsdist/aws-setup.md~/.claude/CLAUDE.md<project>/CLAUDE.md~/.everystack/governance/grounding/<session>.json~/.everystack/governance/<session>.jsonl

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/prompts/governance-setup.ts emits Claude Code hook config for .claude/settings.json
  • src/governance/cli.ts implements hook subcommands that can deny PreToolUse actions
  • src/governance/grounding.ts reads ~/.claude/CLAUDE.md and writes ~/.everystack/governance/grounding state
  • src/gates/telemetry.ts appends per-session telemetry metadata under ~/.everystack/governance
  • src/tools/check-environment.ts uses execSync for local prerequisite version checks when tool is invoked
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • Hook installation is prompt-generated and explicitly says confirm-first, not silent install-time mutation
  • No credential harvesting or exfiltration code found; telemetry records rule/path/severity only
  • dist/aws-setup.md secret-like findings are placeholder IAM/AWS setup documentation, not embedded credentials
  • eval in src/resources/index.ts is for __dirname/import.meta.url resolution, not remote code execution
  • Network URLs are documentation/install hints; no runtime fetch or remote payload loading found
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 27 file(s), 979 KB of source, external domains: aws.amazon.com, awscli.amazonaws.com, git-scm.com, github.com, json-schema.org, nodejs.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.postgresql.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/aws-setup.mdView file
216patternName = aws_access_key severity = critical line = 216 matchedText = - **Acce...LE`)
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/aws-setup.mdView on unpkg · L216
216patternName = aws_access_key severity = critical line = 216 matchedText = - **Acce...LE`)
Critical
Secret Pattern

AWS access key ID in dist/aws-setup.md

dist/aws-setup.mdView on unpkg · L216
dist/index.cjsView file
21725// src/tools/check-environment.ts L21726: var import_node_child_process = require("node:child_process"); L21727: var import_node_fs2 = require("node:fs");
High
Child Process

Package source references child process execution.

dist/index.cjsView on unpkg · L21725
1229Cross-file remote execution chain: dist/index.cjs spawns src/resources/index.ts; helper contains network access plus dynamic code execution. L1229: // validation function arguments L1230: data: new codegen_1.Name("data"), L1231: // data passed to validation function ... L2256: id = normalizeId(id); L2257: return resolver.resolve(baseId, id); L2258: } ... L3119: for (i = 0; i < input.length; i++) { L3120: code = input[i].charCodeAt(0); L3121: if (code === 48) { ... L6940: } L6941: function classifyPrivateEnvKeys(keys, source) { L6942: return keys.filter((k) => !isPublicEnvKey(k)).map((k) => ({
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.cjsView on unpkg · L1229
21553try { L21554: return globalThis.__dirname || eval("__dirname"); L21555: } catch {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.cjsView on unpkg · L21553
src/resources/aws-setup.mdView file
216patternName = aws_access_key severity = critical line = 216 matchedText = - **Acce...LE`)
Critical
Secret Pattern

AWS access key ID in src/resources/aws-setup.md

src/resources/aws-setup.mdView on unpkg · L216

Findings

3 Critical3 High1 Medium6 Low
CriticalCritical Secretdist/aws-setup.md
CriticalSecret Patterndist/aws-setup.md
CriticalSecret Patternsrc/resources/aws-setup.md
HighChild Processdist/index.cjs
HighShell
HighCross File Remote Execution Contextdist/index.cjs
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License