AI Security Review
scanned 8d ago · by lpm-firewall-aiThe package has a lifecycle downloader that installs an unverified native MCP executable from GitHub releases, then the CLI runs that executable. This is package-aligned but leaves unresolved supply-chain risk because reviewed npm source does not contain the actual runtime binary.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall downloads binary; rw-git-mcp CLI execution spawns it; install-skills is explicit user CLI action
Impact
Unverified release binary could perform arbitrary local git/MCP actions if the upstream artifact is compromised; no concrete malicious behavior is present in reviewed JS source.
Mechanism
postinstall remote binary download plus CLI process spawn
Attack narrative
On install, install.js selects a platform artifact and downloads it from github.com/gbrandtio/rw-git releases into bin/rw-git-mcp-bin, then marks it executable. Later, bin/cli.js spawns that binary. The package also ships user-invoked agent skills, including installation guidance for MCP client configs, but it does not lifecycle-write those configs.
Rationale
Source inspection did not show concrete malware or unconsented lifecycle mutation of broad AI-agent control surfaces, but the postinstall unverified binary downloader creates real unresolved supply-chain risk. Treat as warning rather than publish block because the endpoint and behavior are package-aligned and agent-surface writes are explicit/user-invoked.
Evidence
package.jsoninstall.jsbin/cli.jsbin/rw-git-mcp-binskills/rw-git-mcp-installation/SKILL.mdREADME.mdbin/rw-git-mcp-bin.exe.agents/skills/rw-git-mcp
Network endpoints2
github.com/gbrandtio/rw-git/releases/download/v${version}/${artifactName}github.com/gbrandtio/rw-git.git
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json runs postinstall: node install.js.
- install.js downloads a platform executable from GitHub releases and chmods it without checksum/signature verification.
- bin/cli.js spawns bin/rw-git-mcp-bin with user arguments at runtime.
- bin/cli.js has user-invoked install-skills copying bundled agent skills into .agents/skills/rw-git-mcp.
- Bundled installation skill instructs agents to edit Claude/Cursor/Gemini MCP configs when triggered by a user request.
Evidence against
- No install-time writes to foreign AI-agent configs; postinstall only writes inside package bin/.
- Network endpoint is package-aligned: github.com/gbrandtio/rw-git releases.
- No JS evidence of credential/env harvesting, exfiltration, persistence, destructive actions, or reviewer prompt injection.
- Agent-skill installation is explicit CLI command, not lifecycle-triggered.
- Packaged bin/rw-git-mcp-bin is an HTML GitHub page, not an executable payload in the tarball.
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings