AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Risky primitives are package-aligned CLI setup behavior activated by explicit commands.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs mushi init, login, connect, setup, doctor, or other CLI subcommands.
Impact
Stores Mushi credentials locally and may write project env/MCP config as documented; no evidence of hidden exfiltration, persistence, or destructive behavior.
Mechanism
User-authorized SDK setup, credential storage, API calls, and IDE MCP wiring.
Rationale
Static inspection shows a feature-rich CLI that performs user-invoked Mushi SDK setup, auth, reporting, diagnostics, and MCP configuration. Scanner exfiltration hints map to documented API-key headers and local config/env writes, with no install-time execution or hidden credential harvesting found.
Evidence
package.jsondist/index.jsdist/chunk-GSQO35YD.jsdist/chunk-LDPFTQLE.jsdist/connect-XFVSH4JZ.jsREADME.md.env.local.env.cursor/mcp.json.claude/mcp.json.continue/mcp.json.cursorrules.claude/rules/mushi.md
Network endpoints4
dxptnwrhwsqckaftyymj.supabase.co/functions/v1/apiregistry.npmjs.orgkensaur.us/mushi-mushi/adminlocalhost:6464
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no lifecycle scripts; bin is user-invoked ./dist/index.js.
- dist/index.js network calls are CLI auth/project/report/admin operations against configured Mushi endpoints.
- dist/index.js credential reads are limited to MUSHI_* config/env values and user prompts, then saved for CLI use.
- dist/index.js writes .env.local and .cursor/.claude/IDE MCP config only from explicit init/connect/setup commands.
- dist/chunk-GSQO35YD.js validates API keys, project IDs, and HTTPS endpoints before API/MCP use.
- MCP/rules writes are disclosed command behavior, not install-time or import-time mutation.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
51import * as p from "@clack/prompts";
L52: import { spawn } from "child_process";
L53: import { randomUUID } from "crypto";
...
L60: let end = endpoint.length;
L61: while (end > 0 && endpoint.charCodeAt(end - 1) === 47) end--;
L62: return endpoint.slice(0, end);
L63: }
L64: async function deviceFetch(url, init = {}) {
L65: const controller = new AbortController();
...
L90: headers: { "Content-Type": "application/json" },
L91: body: JSON.stringify({ device_code: deviceCode })
L92: });
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L5151Trigger-reachable chain: manifest.exports -> dist/index.js
L51: import * as p from "@clack/prompts";
L52: import { spawn } from "child_process";
L53: import { randomUUID } from "crypto";
...
L60: let end = endpoint.length;
L61: while (end > 0 && endpoint.charCodeAt(end - 1) === 47) end--;
L62: return endpoint.slice(0, end);
L63: }
L64: async function deviceFetch(url, init = {}) {
L65: const controller = new AbortController();
...
L90: headers: { "Content-Type": "application/json" },
L91: body: JSON.stringify({ device_code: deviceCode })
L92: });
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L51Findings
2 Critical3 Medium4 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings