registry  /  @iicp/client  /  0.7.82

@iicp/client@0.7.82

Use the open IICP AI mesh from TypeScript or JavaScript without running a node

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious install/import-time attack surface. The main unresolved risk is a default-on runtime self-updater in provider commands that installs the latest global package from npm and re-execs the CLI.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs iicp-node serve or iicp-node mcp-gateway with IICP_AUTO_UPDATE not disabled.
Impact
Package owner or registry compromise could cause remote code execution in a long-running provider process, but this is package-aligned updater behavior and not stealth install-time malware.
Mechanism
default-on runtime npm global self-update
Rationale
Source inspection does not show concrete malicious behavior, but the default-on runtime global self-updater is a meaningful remote-code/lifecycle risk for provider deployments. Because it is user-command runtime behavior and package-aligned, this should warn rather than block.
Evidence
package.jsondist/cli.jsdist/updater.jsdist/identity.jsdist/tunnel.jsdist/client.js~/.iicp/operator.json~/.iicp/nodes/<name>.json~/.iicp/state/quick_tunnel_rate_limit.json~/.iicp/state/quick_tunnel_create_gate.json~/.iicp/run/<node_id>.pid
Network endpoints8
registry.npmjs.org/@iicp/client/latestiicp.network/apiiicp.network/api/v1api.anthropic.comapi.ipify.orgapi6.ipify.orgcloudflare-dns.com/dns-query*.trycloudflare.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/updater.js default-on auto-update fetches npm latest and runs npm install -g @iicp/client@latest during serve/mcp-gateway.
  • dist/cli.js startProviderAutoUpdate() is called from runServe and runMcpGateway, not just an explicit update command.
  • dist/cli.js init can run npm install --no-save for optional deps after an interactive prompt.
  • dist/tunnel.js can spawn cloudflared for user-invoked Quick Tunnel reachability.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Main import dist/index.js only re-exports SDK modules; provider actions are CLI/runtime commands.
  • Network endpoints are aligned with package function: iicp.network directory, npm registry update check, local backends, Cloudflare tunnel.
  • Identity files under ~/.iicp are created for operator/node config and chmod 0600; code avoids sending operator_secret/contact.
  • No credential harvesting, hidden exfiltration, destructive file operations, obfuscated payloads, or AI-agent control-surface mutation found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 44 file(s), 515 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.ipify.org, api6.ipify.org, cloudflare-dns.com, iicp.network, pkg.cloudflare.com, registry.npmjs.org, schemas.xmlsoap.org

Source & flagged code

5 flagged · loading source
dist/tunnel.jsView file
22exports.openQuickTunnel = openQuickTunnel; L23: const node_child_process_1 = require("node:child_process"); L24: const fs = require("node:fs");
High
Child Process

Package source references child process execution.

dist/tunnel.jsView on unpkg · L22
dist/node.jsView file
789// eslint-disable-next-line @typescript-eslint/no-explicit-any L790: this._prom = await eval('import("prom-client")'); L791: this._tasksCounter = new this._prom.Counter({
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/node.jsView on unpkg · L789
dist/client.jsView file
7exports.IicpClient = void 0; L8: const node_crypto_1 = require("node:crypto"); L9: const confidentiality_js_1 = require("./confidentiality.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client.jsView on unpkg · L7
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @iicp/client@0.7.81 matchedIdentity = npm:QGlpY3AvY2xpZW50:0.7.81 similarity = 0.932 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
407try { L408: (0, node_child_process_1.execSync)(`npm install --no-save ${extras.join(" ")}`, { stdio: "inherit" }); L409: process.stdout.write(" ✓ done\n");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L407

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/tunnel.js
HighShell
HighRuntime Package Installdist/cli.js
MediumDynamic Requiredist/client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/node.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings