registry  /  @kasabeh/baton-mcp  /  0.4.0

@kasabeh/baton-mcp@0.4.0

Pass the baton between coding agents. Convert any coding-agent session to any other, and wire itself into every agent's MCP config.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time code downloads and extracts a release binary into `node_modules/.bin_real`; the CLI executes that binary on user invocation. No confirmed exfiltration or AI-agent control-surface mutation exists in the inspected JavaScript.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall; later execution of `baton`
Impact
Remote release artifact executes as the installing user, without source-level integrity verification.
Mechanism
platform binary bootstrap from fixed GitHub release URL
Rationale
No malicious behavior is established in the shipped JavaScript, but install-time retrieval and execution of an unverified remote binary is a concrete unresolved supply-chain risk. The package's stated agent-integration functionality is not implemented by the inspected JavaScript.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-baton.jsREADME.mdnpm-shrinkwrap.jsonnode_modules/.bin_real
Network endpoints1
github.com/Kaseban/baton/releases/download/v0.4.0

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `postinstall` via `install.js`.
  • `binary-install.js` downloads a platform binary, extracts it, then `run-baton.js` executes it.
  • Downloaded archive has no checksum/signature verification in package source.
Evidence against
  • `install.js` only calls the package-local binary installer.
  • Download URL is fixed to the package's GitHub release path in `package.json`.
  • Source reads only proxy environment variables; no harvesting of credentials, files, or agent configs is present.
  • No eval, dynamic code loading, hidden persistence, or broad AI-agent config mutation appears in shipped JavaScript.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings