registry  /  @gbrandtio/rw-git-mcp  /  3.3.1

@gbrandtio/rw-git-mcp@3.3.1

Model Context Protocol (MCP) server for rw-git, a git intelligence library and MCP server, designed to provide deep intelligence via research-backed algorithms.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Installation fetches an unsigned platform-native payload from GitHub Releases and marks it executable. The CLI later spawns that payload with user-provided arguments; no confirmed malicious payload source is present in this archive.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall downloads the payload; user runs `rw-git-mcp` to execute it.
Impact
A compromised release asset or redirect could execute arbitrary code under the installing user.
Mechanism
postinstall remote native-binary download followed by CLI execution
Rationale
This is not proven malicious, but it is an install-time staged payload mechanism without integrity verification. Warn rather than block because the endpoint is package-aligned and no exfiltration, stealth persistence, or unconsented AI-agent control-surface mutation is present.
Evidence
package.jsoninstall.jsbin/cli.jsbin/rw-git-mcp-binskills/rw-git-mcp-installation/SKILL.md.agents/skills/rw-git-mcp
Network endpoints1
github.com/rw-core/rw-git/releases/download/v3.3.1/

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `node install.js` on postinstall.
  • `install.js` downloads a platform-native executable during install.
  • `install.js` has no checksum, signature, or redirect-host validation.
  • `bin/cli.js` executes the downloaded file when invoked.
  • `bin/rw-git-mcp-bin` is packaged as GitHub HTML, not a native binary.
Evidence against
  • Download URL is version-pinned and package-aligned: `github.com/rw-core/rw-git`.
  • No credential harvesting, environment collection, or exfiltration found.
  • No automatic AI-agent configuration mutation; skill copying requires explicit `install-skills`.
  • No eval, shell interpolation, persistence, or destructive filesystem behavior found.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.54 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings