registry  /  @iicp/client  /  0.7.88

@iicp/client@0.7.88

Use the open IICP AI mesh from TypeScript or JavaScript without running a node

AI Security Review

scanned 2d ago · by lpm-firewall-ai

Long-running `iicp-node serve` and `mcp-gateway` processes enable a default-on background self-updater. It can replace the globally installed package with the npm `latest` release and restart the process.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Run a long-lived provider command and leave `IICP_AUTO_UPDATE` enabled (default).
Impact
A future registry/latest compromise or unsafe release can execute as the operator through automatic global upgrade.
Mechanism
Fetches package metadata, globally installs latest, then detached-reexecs the CLI.
Rationale
Source inspection does not substantiate malicious intent or covert exfiltration. The default-on self-updater is nevertheless a meaningful supply-chain execution risk and warrants a warning.
Evidence
package.jsondist/cli.jsdist/updater.jsdist/service.jsdist/identity.jsdist/tunnel.js
Network endpoints1
registry.npmjs.org/@iicp/client/latest

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` starts a default-on auto-updater for long-running provider commands.
  • `dist/updater.js` fetches npm latest metadata and runs `npm install -g @iicp/client@latest`.
  • `dist/updater.js` detaches and re-executes the CLI after a successful upgrade.
  • `dist/cli.js` also offers explicit service-unit installation and optional dependency installation.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • The update target is the package's own npm name and registry endpoint, not an unrelated payload host.
  • Filesystem writes inspected are operator/node configuration, locks, logs, or explicit service units.
  • No source evidence of credential harvesting, secret exfiltration, destructive actions, or AI-agent configuration mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 563 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.ipify.org, api6.ipify.org, cloudflare-dns.com, iicp.network, pkg.cloudflare.com, registry.npmjs.org, schemas.xmlsoap.org

Source & flagged code

5 flagged · loading source
dist/tunnel.jsView file
22exports.openQuickTunnel = openQuickTunnel; L23: const node_child_process_1 = require("node:child_process"); L24: const fs = require("node:fs");
High
Child Process

Package source references child process execution.

dist/tunnel.jsView on unpkg · L22
dist/node.jsView file
803// eslint-disable-next-line @typescript-eslint/no-explicit-any L804: this._prom = await eval('import("prom-client")'); L805: this._tasksCounter = new this._prom.Counter({
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/node.jsView on unpkg · L803
dist/client.jsView file
7exports.IicpClient = void 0; L8: const node_crypto_1 = require("node:crypto"); L9: const confidentiality_js_1 = require("./confidentiality.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client.jsView on unpkg · L7
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @iicp/client@0.7.82 matchedIdentity = npm:QGlpY3AvY2xpZW50:0.7.82 similarity = 0.705 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
415try { L416: (0, node_child_process_1.execSync)(`npm install --no-save ${extras.join(" ")}`, { stdio: "inherit" }); L417: process.stdout.write(" ✓ done\n");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L415

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/tunnel.js
HighShell
HighRuntime Package Installdist/cli.js
MediumDynamic Requiredist/client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/node.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings