registry  /  @markdocket/cli  /  0.2.2

@markdocket/cli@0.2.2

Command-line client + MCP server for MarkDocket patent review, prior art, IP operations, and visual automations.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `markdocket setup cursor --install` or `markdocket setup claude-code --install`; normal CLI/MCP use activates API requests.
Impact
A consenting user can add this package as an AI-agent tool; the Cursor entry uses an unpinned latest package version.
Mechanism
Explicit first-party MCP configuration plus authenticated MarkDocket API/OAuth client.
Rationale
Source inspection found no lifecycle execution, credential harvesting, exfiltration, destructive behavior, or unconsented agent configuration mutation. Per policy, the explicit AI-agent configuration capability warrants a warn verdict despite no concrete malicious chain.
Evidence
package.jsonbin/markdocket.mjsdist/index.jsREADME.md~/.cursor/mcp.json~/.config/markdocket/config.json
Network endpoints2
app.markdocket.comapp.markdocket.com/mcp

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` implements `setup cursor --install`, which writes `~/.cursor/mcp.json`.
  • `dist/index.js` implements `setup claude-code --install`, spawning `claude mcp add`.
  • The installed stdio entry runs `npx -y @markdocket/cli@latest mcp`, permitting future package updates when the configured agent starts.
  • CLI runtime sends authenticated API/OAuth requests to `https://app.markdocket.com`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • `bin/markdocket.mjs` only imports the CLI bundle after explicit bin invocation.
  • Agent configuration writes require explicit `--install`; Cursor replacement additionally requires `--force` for a differing entry.
  • Config/token handling is scoped to MarkDocket config and uses owner-only filesystem modes; no broad credential harvesting found.
  • `eval` scanner hit is bundled AJV code generation, not package-controlled payload execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 2.59 MB of source, external domains: 127.0.0.1, app.markdocket.com, github.com, json-schema.org, markdocket-api.fly.dev, markdocket.com, raw.githubusercontent.com, www.w3.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
6704import { EventEmitter } from "node:events"; L6705: import childProcess from "node:child_process"; L6706: import path from "node:path";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L6704
7753} L7754: const execArgv = process2.execArgv ?? []; L7755: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L7753
1228Cross-file remote execution chain: dist/index.js spawns dist/mcp/server.js; helper contains network access plus dynamic code execution. L1228: var names = { L1229: data: new codegen_1.Name("data"), L1230: valCxt: new codegen_1.Name("valCxt"), ... L2215: id = normalizeId(id); L2216: return resolver.resolve(baseId, id); L2217: } ... L3063: for (i = 0;i < input.length; i++) { L3064: code = input[i].charCodeAt(0); L3065: if (code === 48) { ... L6610: class CommanderError extends Error { L6611: constructor(exitCode, code, message) { L6612: super(message);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L1228
2894sourceCode = this.opts.code.process(sourceCode, sch); L2895: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2896: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L2894

Findings

3 High2 Medium6 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License