registry  /  @llmindset/hf-mcp  /  0.3.24

@llmindset/hf-mcp@0.3.24

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package exposes an MCP-facing capability to create Hugging Face sandboxes and execute arbitrary shell commands inside them. This is explicit remote sandbox control, not install-time execution or hidden host compromise.

Static reason
No blocking static signals were detected.
Trigger
An authenticated MCP caller invokes the exported sandbox create or exec tool.
Impact
Commands and file operations can affect the caller-created remote sandbox; optional token forwarding increases sandbox access.
Mechanism
Caller-controlled shell execution in a Hugging Face Job sandbox
Rationale
No concrete malicious behavior was found, but the exported authenticated shell-execution and remote file-control capability is materially dangerous dual-use. It warrants a warn classification rather than a block.
Evidence
package.jsonsrc/sandbox-tool.tssrc/jobs/api-client.tssrc/network/safe-fetch.tssrc/network/url-policy.ts
Network endpoints2
huggingface.co/api<jobId>--<port>.hf.jobs

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/sandbox-tool.ts` exports authenticated sandbox create/read/write/exec tools.
  • `HfSandboxExecTool` runs caller-supplied `cmd` through `/bin/sh -lc` in an HF Job.
  • Sandbox RPC sends HF and sandbox tokens to the created job endpoint.
  • `forward_hf_token` can intentionally pass the caller token into a created sandbox.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • No local filesystem, agent-config, credential-harvesting, or persistence writes found.
  • Network code uses URL/IP validation, redirect limits, and external-address checks.
  • Sandbox execution requires an authenticated token and an explicit tool invocation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 148 file(s), 932 KB of source, external domains: 127.0.0.1, arxiv.org, datasets-server.huggingface.co, demo-space.hf.space, example.com, fake-mcp.local, github.com, gradio.app, hf.co, huggingface.co, www.gradio.app, www.huggingface.co

Source & flagged code

1 flagged · loading source
src/sandbox-tool.tsView file
Published source reference
Medium
Ai Review Evidence

`src/sandbox-tool.ts` exports authenticated sandbox create/read/write/exec tools.

src/sandbox-tool.tsView on unpkg

Findings

6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencesrc/sandbox-tool.ts
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License