AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Importing or invoking the CLI launches a static `npx tsx core.ts` command, but `core.ts` is absent.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing `index.js` or running `mcpgql`
Impact
Fails to run; no source-grounded data access, persistence, or exfiltration is established.
Mechanism
Static child-process launch of a missing local TypeScript entrypoint
Rationale
The package is a malformed CLI wrapper with risky-looking but static runtime process invocation. Direct source inspection finds no concrete malicious behavior; scanner signals do not establish an attack chain.
Evidence
index.jspackage.jsoncore.ts
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- `index.js` invokes `npx` through `spawnSync` with `shell: true` at module load.
- The manifest pins `@letoribo/mcp-graphql-enhanced` to `latest`.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook.
- Only `index.js` and `package.json` are present; no hidden payload files found.
- The spawned arguments are static and contain no user-controlled shell input.
- No network, credential, environment, filesystem-write, or exfiltration code appears in source.
- `index.js` targets missing `core.ts`, so the CLI is broken rather than a functional payload.
Behavioral surface
ChildProcess
Trivial
WildcardDependency
Source & flagged code
2 flagged · loading sourceindex.jsView file
1#!/usr/bin/env node
L2: const { spawnSync } = require('child_process');
L3: const path = require('path');
High
5const pathToCore = path.join(__dirname, 'core.ts');
L6: spawnSync('npx', ['tsx', pathToCore], {
L7: stdio: 'inherit',
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
index.jsView on unpkg · L5Findings
2 High1 Medium1 Low
HighChild Processindex.js
HighRuntime Package Installindex.js
MediumWildcard Dependency
LowScripts Present