AI Security Review
scanned 3h ago · by lpm-firewall-aiThe package exposes an MCP-facing capability to create Hugging Face sandboxes and execute arbitrary shell commands inside them. This is explicit remote sandbox control, not install-time execution or hidden host compromise.
Static reason
No blocking static signals were detected.
Trigger
An authenticated MCP caller invokes the exported sandbox create or exec tool.
Impact
Commands and file operations can affect the caller-created remote sandbox; optional token forwarding increases sandbox access.
Mechanism
Caller-controlled shell execution in a Hugging Face Job sandbox
Rationale
No concrete malicious behavior was found, but the exported authenticated shell-execution and remote file-control capability is materially dangerous dual-use. It warrants a warn classification rather than a block.
Evidence
package.jsonsrc/sandbox-tool.tssrc/jobs/api-client.tssrc/network/safe-fetch.tssrc/network/url-policy.ts
Network endpoints2
huggingface.co/api<jobId>--<port>.hf.jobs
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/sandbox-tool.ts` exports authenticated sandbox create/read/write/exec tools.
- `HfSandboxExecTool` runs caller-supplied `cmd` through `/bin/sh -lc` in an HF Job.
- Sandbox RPC sends HF and sandbox tokens to the created job endpoint.
- `forward_hf_token` can intentionally pass the caller token into a created sandbox.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- No local filesystem, agent-config, credential-harvesting, or persistence writes found.
- Network code uses URL/IP validation, redirect limits, and external-address checks.
- Sandbox execution requires an authenticated token and an explicit tool invocation.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcesrc/sandbox-tool.tsView file
•Published source reference
Medium
Ai Review Evidence
`src/sandbox-tool.ts` exports authenticated sandbox create/read/write/exec tools.
src/sandbox-tool.tsView on unpkgFindings
6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencesrc/sandbox-tool.ts
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License