registry  /  @lovinka/deployik-mcp  /  1.0.0

@lovinka/deployik-mcp@1.0.0

MCP server for Deployik — drive projects, deployments, secrets, and domains from any MCP-aware AI.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The package does perform first-party MCP/Claude extension setup and optional launchd persistence when explicitly invoked by the user, so it carries agent extension lifecycle risk rather than blockable malware.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `deployik-mcp install`, `install-skill`, `install-mcp`, or `install --daemon`.
Impact
Adds Deployik tools/skills to Claude configs and may store a Deployik token in MCP config or a 0600 launchd plist.
Mechanism
explicit MCP config, skill install, and optional localhost daemon setup
Rationale
Because agent config and daemon persistence are explicit user-command functionality and package-aligned, this should not be publish-blocked. It should be warned as first-party agent extension lifecycle risk due to Claude config mutation and optional launchd persistence.
Evidence
package.jsondist/index.jsdist/install.jsdist/install-mcp.jsdist/install-skill.jsdist/install-daemon.jsdist/client/http.jsdist/daemon.jsdist/config/env.js~/.claude.json~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%/Claude/claude_desktop_config.json~/.config/Claude/claude_desktop_config.json<cwd>/.mcp.json~/.claude/skills/deployik-howto/<cwd>/.claude/skills/deployik-howto/~/Library/LaunchAgents/com.lovinka.deployik-mcp.plist~/.deployik-mcp/runtime/~/Library/Logs/deployik-mcp.out.log~/Library/Logs/deployik-mcp.err.log
Network endpoints4
deployik.lovinka.com/api/health/api/auth/meconfigured DEPLOYIK_URL

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • Explicit `install` command writes Claude MCP configs in `dist/install-mcp.js`.
  • Explicit `install-skill` writes Claude skill files in `dist/install-skill.js`.
  • Explicit `install --daemon` installs a macOS launchd service and rewrites Claude configs in `dist/install-daemon.js`.
Evidence against
  • `package.json` has no install/preinstall/postinstall lifecycle hooks; only `prepublishOnly`.
  • Default bin starts an MCP stdio server from `dist/index.js`; install mutations require user subcommands.
  • Network calls in `dist/client/http.js` and installer probes target configured Deployik URL with Bearer token.
  • Daemon binds to localhost by default and rejects non-local clients in `dist/daemon.js`.
  • No eval/vm/native binary loading or remote payload execution found.
  • Credential use is package-aligned: `DEPLOYIK_TOKEN` is sent only as Authorization to Deployik API or stored in explicit config/plist.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 343 KB of source, external domains: 10.x.x.x, 127.0.0.1, deployik.lovinka.com, lovinka.com, www.apple.com, www.google.com

Source & flagged code

2 flagged · loading source
dist/install-daemon.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @lovinka/deployik-mcp@1.0.1 matchedIdentity = npm:QGxvdmlua2EvZGVwbG95aWstbWNw:1.0.1 similarity = 0.938 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/install-daemon.jsView on unpkg
8// RunAtLoad=true, and DEPLOYIK_* in EnvironmentVariables. L9: // 2. Bootstrap it via `launchctl bootout` (clear any old version) + L10: // `launchctl bootstrap gui/$UID <plist>`. ... L12: // ({ command: "npx", args: [...], env: {...} }) with L13: // ({ type: "http", url: "http://127.0.0.1:8788/mcp" }). L14: // 4. Uninstall reverses all three. ... L18: // would need root to read it. L19: import { execFileSync } from "node:child_process"; L20: import { chmodSync, copyFileSync, cpSync, existsSync, mkdirSync, readFileSync, rmSync, unlinkSync, writeFileSync, } from "node:fs"; ... L28: function runtimeDir() { L29: return join(homedir(), ".deployik-mcp", "runtime"); L30: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/install-daemon.jsView on unpkg · L8

Findings

1 High4 Medium5 Low
HighPrevious Version Dangerous Deltadist/install-daemon.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/install-daemon.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings