registry  /  @iicp/client  /  0.7.76

@iicp/client@0.7.76

Use the open IICP AI mesh from TypeScript or JavaScript without running a node

AI Security Review

scanned 15d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are tied to explicit CLI provider workflows, optional dependency installation, auto-update, or tunnel setup rather than install/import-time execution.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `iicp-node` commands such as `serve`, `init`, `service install`, or `mcp-gateway`.
Impact
Package can contact service endpoints and modify user IICP/service config during CLI use, but no unconsented exfiltration or malicious lifecycle behavior was found.
Mechanism
user-invoked provider SDK networking, local config writes, optional subprocesses
Rationale
Static inspection shows a legitimate IICP client/provider CLI with user-invoked networking, config persistence, optional tunnel spawning, and documented auto-update behavior, but no lifecycle execution or data theft. The scanner findings are explained by package-aligned provider-node functionality rather than a malicious payload.
Evidence
package.jsondist/index.jsdist/cli.jsdist/updater.jsdist/tunnel.jsdist/identity.jsdist/operator_crypto.jsdist/service.jsdist/client.js
Network endpoints7
iicp.network/apiregistry.npmjs.org/@iicp/client/latestcloudflare-dns.com/dns-query*.trycloudflare.comapi.ipify.orgapi.anthropic.comlocalhost:11434

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/updater.js contains default-on serve-time self-update via `npm install -g @iicp/client@latest`.
  • dist/tunnel.js can spawn an existing `cloudflared` binary for Quick Tunnel when serve/NAT fallback is used.
  • dist/cli.js `init` may run `npm install --no-save` for optional peer deps after interactive user confirmation.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • dist/index.js only re-exports SDK modules; no import-time execution beyond requires.
  • Network traffic is package-aligned: IICP directory, backend probes, npm version check, Cloudflare tunnel health/DNS checks.
  • Identity code stores operator/node config under user IICP config and explicitly omits operator secret/contact from public views.
  • MCP gateway requires explicit `--tools` allowlist and blocks shell/interpreter tool names.
  • No credential harvesting, destructive behavior, persistence outside user-invoked service install, or AI-agent control-surface mutation found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 477 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.ipify.org, api6.ipify.org, cloudflare-dns.com, iicp.network, pkg.cloudflare.com, registry.npmjs.org, schemas.xmlsoap.org

Source & flagged code

5 flagged · loading source
dist/tunnel.jsView file
22exports.openQuickTunnel = openQuickTunnel; L23: const node_child_process_1 = require("node:child_process"); L24: const fs = require("node:fs");
High
Child Process

Package source references child process execution.

dist/tunnel.jsView on unpkg · L22
dist/node.jsView file
713// eslint-disable-next-line @typescript-eslint/no-explicit-any L714: this._prom = await eval('import("prom-client")'); L715: this._tasksCounter = new this._prom.Counter({
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/node.jsView on unpkg · L713
dist/client.jsView file
7exports.IicpClient = void 0; L8: const node_crypto_1 = require("node:crypto"); L9: const errors_js_1 = require("./errors.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client.jsView on unpkg · L7
dist/cli.jsView file
1888const _MCP_DANGEROUS = new Set([ L1889: "bash", "sh", "zsh", "fish", "shell", "powershell", "pwsh", "cmd", L1890: "exec", "execute", "run_command", "run", "system", "eval", ... L1899: if (helpFlag) { L1900: process.stdout.write(`usage: iicp-node mcp-gateway [options]\n\n` + L1901: `Bridge a local MCP server into the IICP mesh as a registered provider node.\n\n` + L1902: `Options:\n` + L1903: ` --mcp-url URL IICP_MCP_URL — MCP server base URL (default http://localhost:8001)\n` + L1904: ` --tools NAMES IICP_MCP_TOOLS — comma-separated tool names to advertise (required)\n` +
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1888
333try { L334: (0, node_child_process_1.execSync)(`npm install --no-save ${extras.join(" ")}`, { stdio: "inherit" }); L335: process.stdout.write(" ✓ done\n");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L333

Findings

4 High4 Medium5 Low
HighChild Processdist/tunnel.js
HighShell
HighCommand Output Exfiltrationdist/cli.js
HighRuntime Package Installdist/cli.js
MediumDynamic Requiredist/client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/node.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings