registry  /  @gbrandtio/rw-git-mcp  /  3.4.1

@gbrandtio/rw-git-mcp@3.4.1

Model Context Protocol (MCP) server for rw-git, a git intelligence library and MCP server, designed to provide deep intelligence via research-backed algorithms.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

On npm installation, the package downloads and marks executable a native payload from its release endpoint. The shipped artifact is an inert GitHub 404 HTML document, so the CLI cannot run as intended in this package snapshot. No source-established credential theft or foreign AI-agent configuration mutation was found.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall; explicit `rw-git-mcp install-skills`; normal CLI invocation
Impact
Remote artifact replacement risk from an unverified release download; current bundled payload is non-executable.
Mechanism
postinstall remote binary downloader plus explicit local skill copy
Rationale
The automatic unverified native download is a real unresolved supply-chain risk, but the source does not establish malicious intent or behavior. Flag as warn rather than block.
Evidence
package.jsoninstall.jsbin/cli.jsbin/rw-git-mcp-binREADME.md.agents/skills/rw-git-mcp
Network endpoints1
github.com/rw-core/rw-git/releases/download/v3.4.1/rw_git_mcp_{platform}_{arch}

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `postinstall` automatically.
  • `install.js` downloads a platform executable without checksum/signature verification.
  • `install.js` follows a redirect and writes/chmods `bin/rw-git-mcp-bin`.
  • Bundled `bin/rw-git-mcp-bin` is a GitHub 404 HTML page, not an executable.
Evidence against
  • Install URL is version-pinned and package-aligned: `github.com/rw-core/rw-git`.
  • No source evidence of credential harvesting, environment collection, exfiltration, eval, or destructive actions.
  • `.agents` write occurs only under explicit `rw-git-mcp install-skills` user command.
  • CLI only proxies user arguments to the downloaded binary.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.54 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings