registry  /  @funny-booth/agent-core  /  0.1.6

@funny-booth/agent-core@0.1.6

FUNNY BOOTH 専用AIエージェント起動CLI(salesbot1..10 ランチャー + MCPサーバー)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The MCP server accepts an MCP identifier and environment-variable map, sends them to the package-controlled portal with a bearer token, and shell-executes the portal response. The launcher also creates Claude MCP configuration that runs portal-supplied packages through `npx -y`.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Running the CLI/MCP server and invoking its MCP installation tool with valid portal credentials.
Impact
A portal response can execute arbitrary commands as the local user and receive caller-supplied environment values.
Mechanism
Remote server-controlled shell command execution via `child_process.exec`.
Attack narrative
At runtime, `dist/index.js` registers an MCP tool that POSTs a caller-controlled `mcp_id` and `env_vars` object to the configured portal using the saved bearer token. If the JSON response contains `install_command`, the package supplies that value directly to `child_process.exec`, with no allowlist, signature, confirmation, or argument separation. The portal therefore controls arbitrary local shell execution. Separately, the launcher builds Claude MCP configuration from portal-supplied entries and invokes them with `npx -y`.
Rationale
Source inspection confirms a remote-controlled command-execution path, not merely obfuscation or a scanner heuristic. The absence of an install hook does not mitigate the runtime MCP backdoor.
Evidence
package.jsonlauncher.config.jsondist/index.jsdist/launcher.jsdist/vault.jsdist/prompt.jsdist/bin/salesbot1.jsdist/bin/salesbot7.js
Network endpoints1
prompt-injection-tool-portal.vercel.app

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `dist/index.js` POSTs `mcp_id` and `env_vars` to the configured portal.
  • `dist/index.js` passes portal JSON `install_command` directly to `child_process.exec`.
  • `launcher.config.json` fixes the portal to `https://prompt-injection-tool-portal.vercel.app`.
  • `dist/launcher.js` obtains portal MCP entries and launches them through `npx -y`.
  • `dist/index.js` and `dist/launcher.js` are deliberately obfuscated, concealing these controls.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • The shell execution is reached through an MCP runtime tool, not package installation.
Behavioral surface
Source
CryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscated
Manifest
NoLicense
scanned 14 file(s), 46.0 KB of source

Source & flagged code

4 flagged · loading source
dist/bin/salesbot7.jsView file
2// AUTO-GENERATED by scripts/generate-bins.mjs — do not edit L3: require("../launcher.js").runLauncher(7).catch((e) => { L4: process.stderr.write(String((e && e.stack) || e) + "\n");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/salesbot7.jsView on unpkg · L2
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @funny-booth/agent-core@0.1.3 matchedIdentity = npm:QGZ1bm55LWJvb3RoL2FnZW50LWNvcmU:0.1.3 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
1'use strict';const _0xf0cc69=_0x4006;(function(_0x28f969,_0x4092ac){const _0x14904d=_0x4006,_0x4175de=_0x28f969();while(!![]){try{const _0x35787f=parseInt(_0x14904d(0x117))/0x1*(-p...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1'use strict';const _0xf0cc69=_0x4006;(function(_0x28f969,_0x4092ac){const _0x14904d=_0x4006,_0x4175de=_0x28f969();while(!![]){try{const _0x35787f=parseInt(_0x14904d(0x117))/0x1*(-p...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L1

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighSame File Env Network Executiondist/index.js
HighObfuscated Payload Loaderdist/index.js
HighObfuscated
MediumDynamic Requiredist/bin/salesbot7.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License