registry  /  @lousy-agents/mcp  /  5.17.3

@lousy-agents/mcp@5.17.3

MCP server for lousy-agents - provides AI coding assistant tools via the Model Context Protocol

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
An MCP client invokes `create_claude_code_web_setup` or `create_copilot_setup_workflow`.
Impact
Future Claude Code sessions may execute generated environment or dependency-install commands; CI workflow configuration may be created or changed.
Mechanism
Explicit MCP-driven project configuration and hook creation.
Rationale
This is not concrete malicious package behavior, but it provides an explicit AI-agent configuration mutation capability that can create future command execution in a target project. Warn rather than block because writes are tool-invoked and no unconsented install-time control-surface mutation was found.
Evidence
package.jsondist/mcp-server.jsdist/913.jstargetDir/.claude/settings.jsontargetDir/CLAUDE.mdtargetDir/.github/workflows/copilot-setup-steps.ymltargetDir/.github/workflows/copilot-setup-steps.yaml

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/mcp-server.js` registers `create_claude_code_web_setup`, an MCP tool that writes target-project `.claude/settings.json` and `CLAUDE.md`.
  • The tool derives SessionStart hooks that can run environment/package setup commands such as `mise install`, `nvm install`, and configured package-manager installs.
  • `dist/mcp-server.js` also exposes a tool that creates or updates `.github/workflows/copilot-setup-steps.yml` in the selected target directory.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • The entrypoint starts an MCP stdio server; configuration writes occur only through registered tool handlers after an MCP request.
  • No `fetch`, HTTP request, or WebSocket call site was found in the inspected package entrypoint/chunk code.
  • The flagged invisible Unicode in `dist/913.js` occurs in bundled JSON5 parser handling, not an obscured payload.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
WildcardDependency
scanned 9 file(s), 605 KB of source, external domains: api.github.com, bitbucket.com, bitbucket.org, caniuse.com, gist.github.com, git.sr.ht, github.com, gitlab.com, jmrware.com, json-schema.org, mathiasbynens.be, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.w3.org
Oversized source lightweight scan
dist/mcp-server.js2.38 MB file, sampled 256 KB
ChildProcessEvalHighEntropyStringsUrlStringscaniuse.comgist.github.comgithub.comjmrware.comjson-schema.orgmathiasbynens.bespec.openapis.orgstackoverflow.comtools.ietf.orgwww.w3.org

Source & flagged code

3 flagged · loading source
dist/913.jsView file
21contains invisible/control Unicode U+FEFF (zero width no-break space) `?(c++,l=0):e?l+=e.length:l++,e&&(s+=e.length),e}let S={default(){switch(v){case` `:case`\v`:case`\f`:case` `:case`\xA0`:case`<U+FEFF>`:case`
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/913.jsView on unpkg · L21
dist/mcp-server.jsView file
path = dist/mcp-server.js kind = oversized_source_file sizeBytes = 2493170 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/mcp-server.jsView on unpkg
path = dist/mcp-server.js kind = oversized_cli_entrypoint sizeBytes = 2493170 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/mcp-server.jsView on unpkg

Findings

1 Critical1 High5 Medium6 Low
CriticalTrojan Source Unicodedist/913.js
HighOversized Source Filedist/mcp-server.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/mcp-server.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings