registry  /  @gbrandtio/rw-git-mcp  /  3.1.1

@gbrandtio/rw-git-mcp@3.1.1

Model Context Protocol (MCP) server for rw-git

AI Security Review

scanned 8d ago · by lpm-firewall-ai

The package has a lifecycle downloader that installs an unverified native MCP executable from GitHub releases, then the CLI runs that executable. This is package-aligned but leaves unresolved supply-chain risk because reviewed npm source does not contain the actual runtime binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall downloads binary; rw-git-mcp CLI execution spawns it; install-skills is explicit user CLI action
Impact
Unverified release binary could perform arbitrary local git/MCP actions if the upstream artifact is compromised; no concrete malicious behavior is present in reviewed JS source.
Mechanism
postinstall remote binary download plus CLI process spawn
Attack narrative
On install, install.js selects a platform artifact and downloads it from github.com/gbrandtio/rw-git releases into bin/rw-git-mcp-bin, then marks it executable. Later, bin/cli.js spawns that binary. The package also ships user-invoked agent skills, including installation guidance for MCP client configs, but it does not lifecycle-write those configs.
Rationale
Source inspection did not show concrete malware or unconsented lifecycle mutation of broad AI-agent control surfaces, but the postinstall unverified binary downloader creates real unresolved supply-chain risk. Treat as warning rather than publish block because the endpoint and behavior are package-aligned and agent-surface writes are explicit/user-invoked.
Evidence
package.jsoninstall.jsbin/cli.jsbin/rw-git-mcp-binskills/rw-git-mcp-installation/SKILL.mdREADME.mdbin/rw-git-mcp-bin.exe.agents/skills/rw-git-mcp
Network endpoints2
github.com/gbrandtio/rw-git/releases/download/v${version}/${artifactName}github.com/gbrandtio/rw-git.git

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node install.js.
  • install.js downloads a platform executable from GitHub releases and chmods it without checksum/signature verification.
  • bin/cli.js spawns bin/rw-git-mcp-bin with user arguments at runtime.
  • bin/cli.js has user-invoked install-skills copying bundled agent skills into .agents/skills/rw-git-mcp.
  • Bundled installation skill instructs agents to edit Claude/Cursor/Gemini MCP configs when triggered by a user request.
Evidence against
  • No install-time writes to foreign AI-agent configs; postinstall only writes inside package bin/.
  • Network endpoint is package-aligned: github.com/gbrandtio/rw-git releases.
  • No JS evidence of credential/env harvesting, exfiltration, persistence, destructive actions, or reviewer prompt injection.
  • Agent-skill installation is explicit CLI command, not lifecycle-triggered.
  • Packaged bin/rw-git-mcp-bin is an HTML GitHub page, not an executable payload in the tarball.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.54 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings