registry  /  @gbrandtio/rw-git-mcp  /  3.0.8

@gbrandtio/rw-git-mcp@3.0.8

Model Context Protocol (MCP) server for rw-git

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack behavior was found in inspected source. The main risk is install-time unauthenticated binary download from GitHub releases plus an included executable path that currently contains GitHub HTML rather than a binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime CLI invocation runs rw-git-mcp or rw-git-mcp install-skills.
Impact
Supply-chain integrity risk if the release asset or redirect is compromised; no concrete malware behavior shown in package source.
Mechanism
postinstall release binary downloader and CLI proxy/skill copier
Rationale
The package uses a common but risky pattern for MCP/native-tool distribution: postinstall downloads a versioned binary from the project's GitHub releases without verification. Static inspection did not find credential theft, unconsented AI-agent config mutation, persistence, or malicious execution, so the evidence supports a warning rather than a publish block.
Evidence
package.jsoninstall.jsbin/cli.jsbin/rw-git-mcp-binskills/rw-git-mcp-installation/SKILL.mdbin/rw-git-mcp-bin.exe.agents/skills/rw-git-mcp
Network endpoints2
github.com/gbrandtio/rw-git/releases/download/v${version}/${artifactName}github.com/gbrandtio/rw-git.git

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall running install.js, which performs network download at install time.
  • install.js downloads a platform-specific executable from GitHub releases without checksum/signature verification and writes bin/rw-git-mcp-bin.
  • bin/rw-git-mcp-bin in the package is not a native executable; file reports GitHub HTML saved as executable, suggesting a bad/stale downloaded artifact.
  • bin/cli.js can copy bundled skills into the current project's .agents/skills/rw-git-mcp, but only when the user invokes install-skills.
Evidence against
  • install.js endpoint is aligned with declared repository github.com/gbrandtio/rw-git and versioned release asset names.
  • No source evidence of credential harvesting, environment scraping, destructive commands, persistence, or exfiltration outside the release download.
  • bin/cli.js spawns only the package-local rw-git-mcp-bin with forwarded user arguments.
  • Bundled skill files are documentation/workflow prompts for the rw-git MCP and do not run during install/import.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.54 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings