registry  /  @mgsoftwarebv/mg-dashboard-mcp  /  7.4.9

@mgsoftwarebv/mg-dashboard-mcp@7.4.9

MCP Server for MG Dashboard - SSH, SFTP, Docker, domains, DNS, and environment config tools for Cursor

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User starts the CLI with required credentials, then invokes an exposed MCP tool.
Impact
Authorized use can execute remote container commands and alter or delete operational data and DNS records.
Mechanism
Authenticated MCP dispatch to configured SSH, dashboard, DNS, database, and object-store operations.
Rationale
No concrete malicious behavior is established; the scanner's credential-exfiltration claim is unsupported by the inspected source. The package nevertheless provides broad, authenticated remote-administration capability, so it warrants a warning rather than a publish block.
Evidence
package.jsondist/index.js
Network endpoints3
dashboard.mgsoftware.nlmijn.host/api/v2user-supplied --proxy-url

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/index.js` exposes authenticated SSH/SFTP, Docker, database, DNS, and object-store mutation tools.
  • `dist/index.js` can run Docker commands through configured SSH servers and delete remote/S3-compatible objects.
  • `dist/index.js` can read a user-selected remote env file when explicit SSH-tunnel flags are supplied.
Evidence against
  • `package.json` has only `prepublishOnly`; no install, preinstall, or postinstall hook.
  • `dist/index.js` requires an API key and SSH-key path before starting normal MCP mode.
  • `dist/index.js` enforces API-key, SSH-key, role/module, tool-allowlist, and server-access checks.
  • SSH keys are used for local signing or configured SSH connections; no source path sends private-key or environment contents to an unrelated host.
  • Network calls target configured MG Dashboard/proxy endpoints and the explicit mijn.host API integration.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 566 KB of source, external domains: dashboard.mgsoftware.nl

Source & flagged code

3 flagged · loading source
dist/index.jsView file
1#!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { existsSync, statSync, createReadStream, readFileSync } from 'fs'; ... L9: import { ListToolsRequestSchema, CallToolRequestSchema, isInitializeRequest, ListPromptsRequestSchema, GetPromptRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema... L10: import { createServer as createServer$1 } from 'net'; L11: import { Client } from 'ssh2'; L12: import crypto, { randomUUID, createHash, randomBytes, createCipheriv, createDecipheriv } from 'crypto'; L13: import { readFile, mkdtemp, writeFile, rm } from 'fs/promises'; ... L20: import { once } from 'events'; L21: import { lookup } from 'dns/promises'; L22: import { connect } from 'tls'; ... L45: if (!path.startsWith("~")) return path;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> dist/index.js L1: #!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { existsSync, statSync, createReadStream, readFileSync } from 'fs'; ... L9: import { ListToolsRequestSchema, CallToolRequestSchema, isInitializeRequest, ListPromptsRequestSchema, GetPromptRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema... L10: import { createServer as createServer$1 } from 'net'; L11: import { Client } from 'ssh2'; L12: import crypto, { randomUUID, createHash, randomBytes, createCipheriv, createDecipheriv } from 'crypto'; L13: import { readFile, mkdtemp, writeFile, rm } from 'fs/promises'; ... L20: import { once } from 'events'; L21: import { lookup } from 'dns/promises'; L22: import { connect } from 'tls'; ... L45: if (!path.startsWith("~")) return path;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
10257patternName = generic_password severity = medium line = 10257 matchedText = mysql --...ord"
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L10257

Findings

2 Critical4 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumSecret Patterndist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings