registry  /  @glasstrace/sdk  /  1.28.1

@glasstrace/sdk@1.28.1

Glasstrace server-side debugging SDK for AI coding agents

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `glasstrace init`, `glasstrace mcp add`, or `glasstrace uninit`
Impact
Adds/removes first-party Glasstrace MCP entries and managed agent instruction sections in project or agent config files.
Mechanism
explicit-user-command AI agent MCP configuration mutation
Rationale
This is not malicious under the install-control policy because there is no unconsented preinstall/install/postinstall mutation, remote payload execution, or credential theft. The explicit AI-agent MCP setup still warrants a warning because it changes broad agent configuration and instruction files.
Evidence
package.jsondist/chunk-3I3HACUK.jsdist/cli/init.cjsdist/cli/mcp-add.cjsdist/cli/uninit.cjsdist/index.cjsdist/cli/upgrade-instructions.cjs.mcp.json.codex/config.toml.gemini/settings.json.cursor/mcp.json.cursor/rules/glasstrace.mdc.cursorrulesAGENTS.mdCLAUDE.mdGEMINI.md.windsurf/rules/glasstrace.md~/.codeium/windsurf/mcp_config.json.glasstrace/mcp.json.glasstraceinstrumentation.tssrc/instrumentation.tsnext.config.ts
Network endpoints2
api.glasstrace.devapi.glasstrace.dev/mcp

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/chunk-3I3HACUK.js defines MCP config writes for Claude, Codex, Gemini, Cursor, Windsurf, and generic AGENTS.md.
  • dist/chunk-3I3HACUK.js injects managed agent instructions telling agents when to call Glasstrace MCP tools.
  • dist/cli/init.cjs and dist/cli/mcp-add.cjs expose explicit user commands that write MCP configs and agent instruction files.
  • dist/cli/uninit.cjs removes MCP configs, AGENTS sections, .glasstrace, .env.local entries, and related config on explicit uninit.
Evidence against
  • package.json has no preinstall/install/postinstall hook; preuninstall only prints a warning.
  • AI-agent config mutation is tied to explicit CLI commands, not automatic install-time execution.
  • Network endpoints are package-aligned: api.glasstrace.dev and api.glasstrace.dev/mcp.
  • child_process use is limited to CLI detection/registration and git hash helper, not remote payload execution.
  • No credential harvesting or exfiltration beyond user-supplied GLASSTRACE_API_KEY for Glasstrace API auth was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 55 file(s), 7.65 MB of source, external domains: api.glasstrace.dev, glasstrace.dev, glasstrace.invalid, json-schema.org

Source & flagged code

9 flagged · loading source
dist/chunk-WZXVS2EO.jsView file
1// ../../node_modules/@[redacted]-id/execAsync.js L2: import * as child_process from "child_process"; L3: import * as util from "util";
High
Child Process

Package source references child process execution.

dist/chunk-WZXVS2EO.jsView on unpkg · L1
1// ../../node_modules/@[redacted]-id/execAsync.js L2: import * as child_process from "child_process";
High
Shell

Package source references shell execution.

dist/chunk-WZXVS2EO.jsView on unpkg · L1
dist/node-subpath.cjsView file
47// src/source-map-uploader.ts L48: var fs = __toESM(require("node:fs/promises"), 1); L49: var path = __toESM(require("node:path"), 1);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/node-subpath.cjsView on unpkg · L47
dist/cli/init.cjsView file
154assignProp: () => assignProp, L155: base64ToUint8Array: () => base64ToUint8Array, L156: base64urlToUint8Array: () => base64urlToUint8Array, ... L1034: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1035: } : { success: true, data: result.value }; L1036: }; ... L2563: try { L2564: new URL(`http://[${payload.value}]`); L2565: } catch { ... L15541: async function readAnonKey(projectRoot) { L15542: const root = projectRoot ?? process.cwd(); L15543: const modules = await loadFsPath();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/init.cjsView on unpkg · L154
dist/index.cjsView file
40Cross-file remote execution chain: dist/index.cjs spawns dist/middleware/index.cjs; helper contains network access plus dynamic code execution. L40: return { L41: GLASSTRACE_API_KEY: process.env.GLASSTRACE_API_KEY?.trim() || void 0, L42: GLASSTRACE_FORCE_ENABLE: process.env.GLASSTRACE_FORCE_ENABLE, ... L94: "use strict"; L95: DEFAULT_ENDPOINT = "https://api.glasstrace.dev"; L96: } ... L194: assignProp: () => assignProp, L195: base64ToUint8Array: () => base64ToUint8Array, L196: base64urlToUint8Array: () => base64urlToUint8Array, ... L1074: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1075: } : { success: true, data: result.value }; L1076: };
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.cjsView on unpkg · L40
20179patternName = generic_password severity = medium line = 20179 matchedText = // `pass...d of
Medium
Secret Pattern

Hardcoded password in dist/index.cjs

dist/index.cjsView on unpkg · L20179
dist/cli/upgrade-instructions.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @glasstrace/sdk@1.26.0 matchedIdentity = npm:QGdsYXNzdHJhY2Uvc2Rr:1.26.0 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/upgrade-instructions.cjsView on unpkg
dist/node-entry.cjsView file
20149patternName = generic_password severity = medium line = 20149 matchedText = // `pass...d of
Medium
Secret Pattern

Hardcoded password in dist/node-entry.cjs

dist/node-entry.cjsView on unpkg · L20149
dist/chunk-XIYJPTN2.jsView file
238patternName = generic_password severity = medium line = 238 matchedText = // `pass...d of
Medium
Secret Pattern

Hardcoded password in dist/chunk-XIYJPTN2.js

dist/chunk-XIYJPTN2.jsView on unpkg · L238

Findings

1 Critical4 High8 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli/upgrade-instructions.cjs
HighChild Processdist/chunk-WZXVS2EO.js
HighShelldist/chunk-WZXVS2EO.js
HighSandbox Evasion Gated Capabilitydist/cli/init.cjs
HighCross File Remote Execution Contextdist/index.cjs
MediumDynamic Requiredist/node-subpath.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
MediumSecret Patterndist/node-entry.cjs
MediumSecret Patterndist/index.cjs
MediumSecret Patterndist/chunk-XIYJPTN2.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings