AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious attack behavior was found in inspected source. The main risk is install-time unauthenticated binary download from GitHub releases plus an included executable path that currently contains GitHub HTML rather than a binary.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime CLI invocation runs rw-git-mcp or rw-git-mcp install-skills.
Impact
Supply-chain integrity risk if the release asset or redirect is compromised; no concrete malware behavior shown in package source.
Mechanism
postinstall release binary downloader and CLI proxy/skill copier
Rationale
The package uses a common but risky pattern for MCP/native-tool distribution: postinstall downloads a versioned binary from the project's GitHub releases without verification. Static inspection did not find credential theft, unconsented AI-agent config mutation, persistence, or malicious execution, so the evidence supports a warning rather than a publish block.
Evidence
package.jsoninstall.jsbin/cli.jsbin/rw-git-mcp-binskills/rw-git-mcp-installation/SKILL.mdbin/rw-git-mcp-bin.exe.agents/skills/rw-git-mcp
Network endpoints2
github.com/gbrandtio/rw-git/releases/download/v${version}/${artifactName}github.com/gbrandtio/rw-git.git
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall running install.js, which performs network download at install time.
- install.js downloads a platform-specific executable from GitHub releases without checksum/signature verification and writes bin/rw-git-mcp-bin.
- bin/rw-git-mcp-bin in the package is not a native executable; file reports GitHub HTML saved as executable, suggesting a bad/stale downloaded artifact.
- bin/cli.js can copy bundled skills into the current project's .agents/skills/rw-git-mcp, but only when the user invokes install-skills.
Evidence against
- install.js endpoint is aligned with declared repository github.com/gbrandtio/rw-git and versioned release asset names.
- No source evidence of credential harvesting, environment scraping, destructive commands, persistence, or exfiltration outside the release download.
- bin/cli.js spawns only the package-local rw-git-mcp-bin with forwarded user arguments.
- Bundled skill files are documentation/workflow prompts for the rw-git MCP and do not run during install/import.
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings