registry  /  @nirvana-labs/nirvana-mcp  /  1.93.0

@nirvana-labs/nirvana-mcp@1.93.0

The official MCP Server for the Nirvana Labs API

AI Security Review

scanned 7d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Running the mcp-server bin and invoking the MCP execute tool
Impact
An authorized MCP client could perform Nirvana API operations or read environment variables inside the Deno worker; no install-time compromise or unsolicited persistence was found.
Mechanism
Deno sandbox executes supplied TypeScript with SDK client credentials
Policy narrative
When a user runs the MCP server, clients can call the execute tool with TypeScript code. The package launches a Deno worker, evaluates that code, and passes it a Nirvana SDK client, while limiting network to the client base URL and reads to package-related paths. This is a dangerous agent-facing capability, but inspection did not find install-time hooks, foreign AI-agent control-surface mutation, persistence, destructive filesystem writes, credential harvesting, or unrelated exfiltration endpoints.
Rationale
Source inspection shows a package-aligned MCP execute capability with real dual-use risk, but activation is runtime/user-invoked and there is no concrete malicious install/import-time behavior. The correct firewall action is warn rather than publish block.
Evidence
package.jsonindex.jsserver.jscode-tool.jscode-tool-worker.jshttp.jsinstructions.jslocal-docs-search.jsstdio.jscode-tool-worker.mjscustomInstructionsPathdocsDir/*.mddocsDir/*.markdowndocsDir/*.json
Network endpoints4
api.nirvanalabs.iolocalhostgithub.com/stainless-api/jq-web/releases/download/v0.8.8/jq-web.tar.gzdeno.land

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • code-tool.js exposes default MCP execute tool for user/agent-supplied TypeScript code.
  • code-tool.js spawns Deno worker with --allow-env and --allow-net limited to SDK client baseURL hostname.
  • code-tool-worker.js imports a data: TypeScript module built from supplied code and calls exported run(client).
  • http.js accepts x-stainless-mcp-client-permissions to override method allow/block options for HTTP clients.
Evidence against
  • package.json has no npm lifecycle install/preinstall/postinstall hooks.
  • index.js only starts stdio/http MCP transport when invoked as bin/main, not on install or import.
  • No writes to .mcp.json, CLAUDE.md, Claude/Codex/Cursor settings, shell startup files, VCS hooks, or autostart paths found.
  • Deno worker read access is scoped to package/node_modules paths and SDK symlink target; no broad filesystem read/write permission.
  • HTTP logs redact auth/key/token/cookie headers in http.js.
  • local-docs-search.js reads only explicit docsDir markdown/json files for local search indexing.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 1.78 MB of source, external domains: api.nirvanalabs.io, bun.sh, cursor.com, deno.land, developer.hashicorp.com, docs.deno.com, docs.nirvanalabs.io, endoflife.date, github.com, go.dev, img.shields.io, jsr.io, npmjs.org, pkg.go.dev, raw.githubusercontent.com, registry.terraform.io, semver.org, vscode.stainless.com, www.github.com, www.npmjs.com

Source & flagged code

4 flagged · loading source
instructions.jsView file
7exports.getInstructions = getInstructions; L8: const promises_1 = __importDefault(require("fs/promises")); L9: const logger_1 = require("./logger.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

instructions.jsView on unpkg · L7
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
Remote tarball dependency specs: jq-web@https://github.com/stainless-api/jq-web/releases/download/v0.8.8/jq-web.tar.gz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg
local-docs-search.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @nirvana-labs/nirvana-mcp@1.92.1 matchedIdentity = npm:[redacted]:1.92.1 similarity = 0.939 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

local-docs-search.jsView on unpkg

Findings

1 Critical1 High4 Medium4 Low
CriticalManifest Confusionpackage.json
HighPrevious Version Dangerous Deltalocal-docs-search.js
MediumDynamic Requireinstructions.js
MediumNetwork
MediumEnvironment Vars
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings