registry  /  @everystack/mcp  /  0.3.3

@everystack/mcp@0.3.3

Governance layer that governs how any agent builds everystack — grounding, cheat gates, and Model-aware tooling over MCP

AI Security Review

scanned 11h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs everystack-mcp as an MCP server or explicitly installs/runs generated Claude hooks.
Impact
Can influence/deny Claude tool use and write local governance state after opt-in hook configuration; no automatic foreign control-surface mutation or exfiltration found.
Mechanism
documented MCP resources/prompts plus optional local governance hook CLI
Policy narrative
The main risk is agent-facing: if a user follows the governance_setup prompt and installs the generated Claude hooks, everystack-mcp can gate Claude tool calls and record local telemetry. Source inspection shows this path is documented and confirm-first, with no npm lifecycle delivery and no automatic writes into .claude or MCP configs, so it does not meet the blockable unconsented control-hijack threshold.
Rationale
Static inspection found a documented, opt-in agent governance capability with local filesystem state, but no lifecycle hook abuse, silent agent config mutation, credential harvesting, exfiltration, persistence, or remote payload execution. Because the package can affect an AI agent control surface after opt-in, warn rather than mark fully clean.
Evidence
package.jsonREADME.mdsrc/index.tssrc/prompts/governance-setup.tssrc/prompts/claude-md.tssrc/governance/cli.tssrc/governance/grounding.tssrc/gates/telemetry.tssrc/tools/check-environment.tsdist/aws-setup.md~/.everystack/governance/grounding/<session>.json~/.everystack/governance/<session>.jsonl~/.claude/CLAUDE.md<project>/CLAUDE.md
Network endpoints6
nodejs.orggit-scm.comaws.amazon.com/cli/www.postgresql.org/download/aws.amazon.com/freeconsole.aws.amazon.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/prompts/governance-setup.ts generates Claude Code hook config for .claude/settings.json, but as a confirm-first prompt.
  • src/governance/grounding.ts can deny non-Read Claude tool use until CLAUDE.md files are read when hooks are installed.
  • src/gates/telemetry.ts writes local finding telemetry under ~/.everystack/governance/*.jsonl.
  • src/tools/check-environment.ts uses execSync for local version checks including npx expo and npx sst.
Evidence against
  • package.json has no preinstall/postinstall/prepare lifecycle hooks.
  • No source writes .claude/settings.json, .mcp.json, CLAUDE.md, or other foreign agent config automatically.
  • README.md documents MCP setup and says governance hooks are opt-in/local-only.
  • src/index.ts starts an MCP stdio server or explicit hook subcommands only; no import-time payload beyond main entry execution.
  • No credential exfiltration or package-owned remote endpoint calls found.
  • dist/aws-setup.md contains AWS setup documentation/placeholders, not embedded live secrets.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 53 file(s), 1.12 MB of source, external domains: aws.amazon.com, awscli.amazonaws.com, git-scm.com, github.com, json-schema.org, nodejs.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.postgresql.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/aws-setup.mdView file
216patternName = aws_access_key severity = critical line = 216 matchedText = - **Acce...LE`)
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/aws-setup.mdView on unpkg · L216
216patternName = aws_access_key severity = critical line = 216 matchedText = - **Acce...LE`)
Critical
Secret Pattern

AWS access key ID in dist/aws-setup.md

dist/aws-setup.mdView on unpkg · L216
dist/tools/check-environment.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @everystack/mcp@0.3.0 matchedIdentity = npm:QGV2ZXJ5c3RhY2svbWNw:0.3.0 similarity = 0.885 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tools/check-environment.jsView on unpkg
1import { execSync } from 'node:child_process'; L2: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/tools/check-environment.jsView on unpkg · L1
dist/resources/index.jsView file
9return globalThis.__dirname L10: || eval('__dirname'); L11: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/resources/index.jsView on unpkg · L9
dist/index.cjsView file
1229Cross-file remote execution chain: dist/index.cjs spawns dist/resources/index.js; helper contains network access plus dynamic code execution. L1229: // validation function arguments L1230: data: new codegen_1.Name("data"), L1231: // data passed to validation function ... L2256: id = normalizeId(id); L2257: return resolver.resolve(baseId, id); L2258: } ... L3119: for (i = 0; i < input.length; i++) { L3120: code = input[i].charCodeAt(0); L3121: if (code === 48) { ... L6940: } L6941: function classifyPrivateEnvKeys(keys, source) { L6942: return keys.filter((k) => !isPublicEnvKey(k)).map((k) => ({
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.cjsView on unpkg · L1229
src/resources/aws-setup.mdView file
216patternName = aws_access_key severity = critical line = 216 matchedText = - **Acce...LE`)
Critical
Secret Pattern

AWS access key ID in src/resources/aws-setup.md

src/resources/aws-setup.mdView on unpkg · L216

Findings

4 Critical3 High1 Medium6 Low
CriticalCritical Secretdist/aws-setup.md
CriticalPrevious Version Dangerous Deltadist/tools/check-environment.js
CriticalSecret Patterndist/aws-setup.md
CriticalSecret Patternsrc/resources/aws-setup.md
HighChild Processdist/tools/check-environment.js
HighShell
HighCross File Remote Execution Contextdist/index.cjs
MediumEnvironment Vars
LowScripts Present
LowEvaldist/resources/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License