registry  /  @mushi-mushi/cli  /  0.26.1

@mushi-mushi/cli@0.26.1

CLI for Mushi Mushi — `mushi init` wizard installs the right SDK for your framework, plus report triage and pipeline health commands

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The explicit `mushi connect` command configures a Cursor MCP server. It stores supplied Mushi credentials in a project-local Cursor configuration that executes the package-owned MCP via npx.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `mushi connect` (or `mushi doctor --fix`) with credentials.
Impact
A configured IDE may execute `@mushi-mushi/mcp` with the supplied Mushi credentials.
Mechanism
first-party Cursor MCP configuration and npx-based extension setup
Rationale
No malicious install-time behavior or concrete credential-exfiltration chain was found. The explicit first-party IDE-agent configuration is a meaningful lifecycle risk under the firewall policy, so warn rather than block.
Evidence
package.jsondist/index.jsdist/init.jsdist/chunk-2ZLYNNA3.jsdist/chunk-QOY3DULB.js.cursor/mcp.json.gitignore.env.local~/.config/mushi/config.json
Network endpoints2
dxptnwrhwsqckaftyymj.supabase.co/functions/v1/apiregistry.npmjs.org

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `mushi connect` writes `.cursor/mcp.json` with Mushi API credentials.
  • MCP entry runs `npx -y @mushi-mushi/mcp` when the IDE loads it.
  • `mushi doctor --fix` can call the same connect flow.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • Writes occur only through explicit CLI commands, not import-time execution.
  • Config and project writes are package-aligned and credential files are gitignored/warned.
  • No source evidence of credential harvesting, stealth exfiltration, eval, or shell execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 385 KB of source, external domains: dxptnwrhwsqckaftyymj.supabase.co, github.com, kensaur.us, nodejs.org, registry.npmjs.org, supabase.com, xyz.supabase.co, your-app.vercel.app, your-domain.example.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
55import * as p from "@clack/prompts"; L56: import { spawn } from "child_process"; L57: import { randomUUID } from "crypto"; ... L65: let end = endpoint.length; L66: while (end > 0 && endpoint.charCodeAt(end - 1) === 47) end--; L67: return endpoint.slice(0, end); L68: } L69: async function deviceFetch(url, init = {}) { L70: const controller = new AbortController(); ... L82: headers: { "Content-Type": "application/json" }, L83: body: JSON.stringify(clientId ? { client_id: clientId } : {}) L84: });
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L55
55Trigger-reachable chain: manifest.exports -> dist/index.js L55: import * as p from "@clack/prompts"; L56: import { spawn } from "child_process"; L57: import { randomUUID } from "crypto"; ... L65: let end = endpoint.length; L66: while (end > 0 && endpoint.charCodeAt(end - 1) === 47) end--; L67: return endpoint.slice(0, end); L68: } L69: async function deviceFetch(url, init = {}) { L70: const controller = new AbortController(); ... L82: headers: { "Content-Type": "application/json" }, L83: body: JSON.stringify(clientId ? { client_id: clientId } : {}) L84: });
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L55
55import * as p from "@clack/prompts"; L56: import { spawn } from "child_process"; L57: import { randomUUID } from "crypto"; ... L65: let end = endpoint.length; L66: while (end > 0 && endpoint.charCodeAt(end - 1) === 47) end--; L67: return endpoint.slice(0, end); L68: } L69: async function deviceFetch(url, init = {}) { L70: const controller = new AbortController(); ... L82: headers: { "Content-Type": "application/json" }, L83: body: JSON.stringify(clientId ? { client_id: clientId } : {}) L84: });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L55

Findings

2 Critical4 Medium4 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings