registry  /  @llmindset/hf-mcp  /  0.3.25

@llmindset/hf-mcp@0.3.25

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
An authenticated caller invokes `hf_sandbox`/`hf_sandbox_exec` or a jobs operation with command or script arguments.
Impact
Caller-directed remote code execution and remote file read/write within the created sandbox or mounted Hub volumes.
Mechanism
Remote Hugging Face Job provisioning and sandbox command execution.
Rationale
No malicious install-time or stealth behavior was found. However, the package deliberately provides authenticated remote command execution and remote file operations, a dangerous dual-use capability requiring a warning.
Evidence
package.jsonsrc/index.tssrc/sandbox-tool.tssrc/jobs/api-client.tssrc/jobs/commands/run.tssrc/jobs/commands/uv-utils.tssrc/network/safe-fetch.ts
Network endpoints3
huggingface.co/apihuggingface.co/api/jobshuggingface.co/jobs

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/sandbox-tool.ts` embeds a Python RPC server that runs supplied commands with `subprocess.run`.
  • `src/sandbox-tool.ts` provisions authenticated Hugging Face Jobs and exposes sandbox `exec`, read, and write operations.
  • `src/jobs/commands/uv-utils.ts` accepts inline or URL script sources and builds commands for a remote UV job.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `src/index.ts` only exports modules; no import-time execution is present.
  • Sandbox/job actions require explicit tool invocation plus an HF token.
  • Network targets are Hugging Face service endpoints; no unrelated exfiltration endpoint was found.
  • No local filesystem harvesting, shell spawning in the npm host, eval, or agent-config writes were found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 152 file(s), 961 KB of source, external domains: 127.0.0.1, arxiv.org, datasets-server.huggingface.co, demo-space.hf.space, example.com, fake-mcp.local, github.com, gradio.app, hf.co, huggingface.co, www.gradio.app, www.huggingface.co

Source & flagged code

3 flagged · loading source
src/sandbox-tool.tsView file
Published source reference
Medium
Ai Review Evidence

`src/sandbox-tool.ts` embeds a Python RPC server that runs supplied commands with `subprocess.run`.

src/sandbox-tool.tsView on unpkg
Published source reference
Medium
Ai Review Evidence

`src/sandbox-tool.ts` provisions authenticated Hugging Face Jobs and exposes sandbox `exec`, read, and write operations.

src/sandbox-tool.tsView on unpkg
src/jobs/commands/uv-utils.tsView file
Published source reference
Medium
Ai Review Evidence

`src/jobs/commands/uv-utils.ts` accepts inline or URL script sources and builds commands for a remote UV job.

src/jobs/commands/uv-utils.tsView on unpkg

Findings

5 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencesrc/sandbox-tool.ts
MediumAi Review Evidencesrc/sandbox-tool.ts
MediumAi Review Evidencesrc/jobs/commands/uv-utils.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License