registry  /  @llmindset/hf-mcp  /  0.3.29

@llmindset/hf-mcp@0.3.29

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No install-time or stealth attack behavior is established. At runtime, explicit MCP tool calls can create Hugging Face jobs/sandboxes and execute caller-supplied commands remotely.

Static reason
No blocking static signals were detected.
Trigger
A caller invokes sandbox or jobs MCP operations with Hugging Face credentials.
Impact
A compromised or over-permissioned MCP caller could run commands and modify files in its authorized remote Hugging Face sandbox.
Mechanism
Authenticated remote job and sandbox command execution
Rationale
No malicious lifecycle hook, local credential harvesting, stealth persistence, or unconsented control-surface mutation was found. The package nonetheless exposes concrete remote execution capabilities, so it should be warned rather than marked clean.
Evidence
package.jsonsrc/index.tssrc/sandbox-tool.tssrc/jobs/commands/run.tssrc/jobs/commands/uv-utils.tssrc/network/safe-fetch.ts
Network endpoints2
huggingface.cohuggingface.co/buckets/huggingface/sbx-server/resolve/sbx-server

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/sandbox-tool.ts` creates and controls authenticated Hugging Face sandbox jobs.
  • `src/sandbox-tool.ts` posts user-provided commands to sandbox `/v1/exec` and supports filesystem writes.
  • `src/jobs/commands/run.ts` builds user-requested Hugging Face Job specifications; `uv-utils.ts` supports inline shell execution.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hooks.
  • `src/index.ts` exports library tools without import-time execution.
  • `src/network/safe-fetch.ts` validates redirects and strips sensitive headers cross-host.
  • `src/network/ip-policy.ts` blocks internal/reserved addresses for external fetches.
  • Observed endpoints are Hugging Face service endpoints aligned with package functionality.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 162 file(s), 1.27 MB of source, external domains: 127.0.0.1, arxiv.org, datasets-server.huggingface.co, demo-space.hf.space, example.com, fake-mcp.local, github.com, gradio.app, hf.co, huggingface.co, www.gradio.app, www.huggingface.co

Source & flagged code

3 flagged · loading source
src/sandbox-tool.tsView file
Published source reference
Medium
Ai Review Evidence

`src/sandbox-tool.ts` creates and controls authenticated Hugging Face sandbox jobs.

src/sandbox-tool.tsView on unpkg
Published source reference
Medium
Ai Review Evidence

`src/sandbox-tool.ts` posts user-provided commands to sandbox `/v1/exec` and supports filesystem writes.

src/sandbox-tool.tsView on unpkg
src/jobs/commands/run.tsView file
Published source reference
Medium
Ai Review Evidence

`src/jobs/commands/run.ts` builds user-requested Hugging Face Job specifications; `uv-utils.ts` supports inline shell execution.

src/jobs/commands/run.tsView on unpkg

Findings

5 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencesrc/sandbox-tool.ts
MediumAi Review Evidencesrc/sandbox-tool.ts
MediumAi Review Evidencesrc/jobs/commands/run.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License