registry  /  @kasabeh/baton-mcp  /  0.1.2

@kasabeh/baton-mcp@0.1.2

Pass the baton between coding agents. Convert any coding-agent session to any other, and wire itself into every agent's MCP config.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package uses npm postinstall to download and extract a platform-specific native Baton binary from its GitHub release. The JavaScript wrapper later spawns that binary when the baton command is run; source inspection cannot verify the downloaded binary contents.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; npx or baton command invokes the downloaded binary
Impact
Unverified native code is installed and can run with user privileges when invoked; no source-confirmed malicious behavior or stealth agent config mutation.
Mechanism
install-time remote native binary download and runtime spawn
Rationale
This is not source-confirmed malware: the network endpoint is package-aligned and no exfiltration, persistence, or unconsented AI-agent config mutation appears in the inspected JavaScript. It remains a warn-level supply-chain risk because npm install fetches and stages an unverified native binary that cannot be audited from the package source alone.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-baton.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/Kaseban/baton/releases/download/v0.1.0

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node ./install.js
  • install.js calls binary.install(false) during npm install
  • binary-install.js downloads release artifacts over HTTP(S) and extracts them into node_modules/.bin_real
  • binary-install.js has no hardcoded checksum or signature verification before extraction
  • run-baton.js invokes binary.run("baton"), which spawnSyncs the installed native binary
  • README documents baton install mutating agent MCP configs, but as an explicit user command
Evidence against
  • Download URL is package-aligned: https://github.com/Kaseban/baton/releases/download/v0.1.0
  • No preinstall/install/postinstall mutation of AI-agent configs found in JavaScript source
  • No credential harvesting, broad file scanning, or exfiltration logic found
  • No eval/vm/Function or dynamic remote JavaScript execution found
  • Proxy env use is limited to standard download support
  • README discloses npm installs a prebuilt binary
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings