registry  /  @iicp/client  /  0.7.78

@iicp/client@0.7.78

Use the open IICP AI mesh from TypeScript or JavaScript without running a node

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The main unresolved risk is a user-invoked provider CLI with default-on self-update that can globally install a newer @iicp/client from npm during runtime.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs iicp-node serve or explicit CLI dependency/update flows.
Impact
Potential supply-chain/control risk from automatic global update, but no inspected code performs install-time compromise, credential theft, or unrelated exfiltration.
Mechanism
runtime npm install/self-update and package-aligned network client/node operations
Attack narrative
A user-invoked provider node can contact the npm registry, install @iicp/client@latest globally, and re-exec itself by default. This is risky operational behavior for a library CLI, but the inspected version does not add lifecycle execution, hidden payload fetching, credential harvesting, or unrelated exfiltration; network and file operations are explained by IICP node/proxy/tunnel functionality.
Rationale
Static source inspection supports a warning for default-on runtime self-update and optional dependency installation, not a malicious block. Suspicious primitives are tied to the advertised node/proxy/tunnel SDK behavior and require user-invoked CLI runtime, with no install/import-time attack found.
Evidence
package.jsondist/index.jsdist/cli.jsdist/updater.jsdist/tunnel.jsdist/client.jsdist/identity.jsdist/node.jsdist/nat_detection.js~/.iicp/operator.json~/.iicp/nodes/<name>.json~/.iicp/state/quick_tunnel_rate_limit.json~/.iicp/state/quick_tunnel_create_gate.json~/.iicp/state/quick_tunnel_create.lock
Network endpoints11
registry.npmjs.org/@iicp/client/latestiicp.network/apiapi.anthropic.comapi.ipify.orgapi6.ipify.orgcloudflare-dns.com/dns-query*.trycloudflare.comlocalhost:11434localhost:8080/v1localhost:8000/v1127.0.0.1:9483

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/updater.js default-on autoUpdateEnabled checks registry and runs spawn('npm',['install','-g','@iicp/client@latest']) during long-running serve unless IICP_AUTO_UPDATE=0.
  • dist/cli.js startProviderAutoUpdate wires updater into provider runtime; dist/cli.js installMissing can run npm install --no-save for optional extras when user invokes dependency setup.
  • dist/tunnel.js spawns existing cloudflared for user-requested/auto NAT Quick Tunnel and writes state under IICP_HOME or ~/.iicp/state.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; main dist/index.js only re-exports SDK modules.
  • dist/cli.js executes main only under require.main === module, so importing ./cli does not run commands.
  • Network endpoints are package-aligned: https://iicp.network/api, npm registry, local backend URLs, Anthropic API, Cloudflare tunnel/DoH.
  • No source evidence of credential harvesting, arbitrary remote payload execution, destructive filesystem actions, or unconsented install-time behavior.
  • Identity/token files in dist/identity.js are created for CLI node operation under ~/.iicp with chmod 0600, not exfiltrated in inspected paths.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 42 file(s), 496 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.ipify.org, api6.ipify.org, cloudflare-dns.com, iicp.network, pkg.cloudflare.com, registry.npmjs.org, schemas.xmlsoap.org

Source & flagged code

6 flagged · loading source
dist/tunnel.jsView file
22exports.openQuickTunnel = openQuickTunnel; L23: const node_child_process_1 = require("node:child_process"); L24: const fs = require("node:fs");
High
Child Process

Package source references child process execution.

dist/tunnel.jsView on unpkg · L22
dist/node.jsView file
756// eslint-disable-next-line @typescript-eslint/no-explicit-any L757: this._prom = await eval('import("prom-client")'); L758: this._tasksCounter = new this._prom.Counter({
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/node.jsView on unpkg · L756
dist/client.jsView file
7exports.IicpClient = void 0; L8: const node_crypto_1 = require("node:crypto"); L9: const errors_js_1 = require("./errors.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client.jsView on unpkg · L7
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @iicp/client@0.7.77 matchedIdentity = npm:QGlpY3AvY2xpZW50:0.7.77 similarity = 0.976 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli.jsView on unpkg
2109const _MCP_DANGEROUS = new Set([ L2110: "bash", "sh", "zsh", "fish", "shell", "powershell", "pwsh", "cmd", L2111: "exec", "execute", "run_command", "run", "system", "eval", ... L2120: if (helpFlag) { L2121: process.stdout.write(`usage: iicp-node mcp-gateway [options]\n\n` + L2122: `Bridge a local MCP server into the IICP mesh as a registered provider node.\n\n` + L2123: `Options:\n` + L2124: ` --mcp-url URL IICP_MCP_URL — MCP server base URL (default http://localhost:8001)\n` + L2125: ` --tools NAMES IICP_MCP_TOOLS — comma-separated tool names to advertise (required)\n` +
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L2109
404try { L405: (0, node_child_process_1.execSync)(`npm install --no-save ${extras.join(" ")}`, { stdio: "inherit" }); L406: process.stdout.write(" ✓ done\n");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L404

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/tunnel.js
HighShell
HighCommand Output Exfiltrationdist/cli.js
HighRuntime Package Installdist/cli.js
MediumDynamic Requiredist/client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/node.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings