registry  /  @nirvana-labs/nirvana-mcp  /  1.94.0

@nirvana-labs/nirvana-mcp@1.94.0

The official MCP Server for the Nirvana Labs API

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Runtime MCP calls can invoke a local Deno worker to evaluate caller-provided TypeScript. This is an explicit code-execution capability rather than install-time execution, with network restricted to the configured Nirvana SDK host.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A connected MCP client invokes the `execute` code tool.
Impact
Caller-provided code can access inherited environment values and the Nirvana SDK within the worker's granted permissions.
Mechanism
Dynamic evaluation of caller-supplied TypeScript in a permissioned Deno worker.
Rationale
No concrete malicious chain is present, but the package exposes deliberate local execution of MCP-supplied code with environment access. Treat as a warning-level dangerous capability for the upstream firewall.
Evidence
package.jsonindex.jssrc/code-tool.tssrc/code-tool-worker.tssrc/auth.ts

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/code-tool.ts` exposes an MCP `execute` tool accepting caller-supplied TypeScript.
  • `src/code-tool-worker.ts` evaluates supplied code through a data-URL dynamic require.
  • `src/code-tool.ts` starts a local Deno worker with inherited environment variables.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or uninstall lifecycle hook.
  • `index.js` only starts the server when executed as its CLI entrypoint.
  • The Deno worker restricts network access to the configured SDK API hostname.
  • The worker read permission is limited to package/SDK paths; no package code writes files.
  • No hardcoded exfiltration endpoint, persistence, destructive operation, or agent-config mutation was found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 1.87 MB of source, external domains: api.nirvanalabs.io, bun.sh, cursor.com, deno.land, developer.hashicorp.com, docs.deno.com, docs.nirvanalabs.io, endoflife.date, github.com, go.dev, img.shields.io, jsr.io, npmjs.org, pkg.go.dev, raw.githubusercontent.com, registry.terraform.io, semver.org, vscode.stainless.com, www.github.com, www.npmjs.com

Source & flagged code

4 flagged · loading source
instructions.jsView file
7exports.getInstructions = getInstructions; L8: const promises_1 = __importDefault(require("fs/promises")); L9: const logger_1 = require("./logger.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

instructions.jsView on unpkg · L7
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
Remote tarball dependency specs: jq-web@https://github.com/stainless-api/jq-web/releases/download/v0.8.8/jq-web.tar.gz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg
code-tool-worker.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @nirvana-labs/nirvana-mcp@1.93.0 matchedIdentity = npm:[redacted]:1.93.0 similarity = 0.816 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

code-tool-worker.jsView on unpkg

Findings

1 Critical1 High4 Medium4 Low
CriticalManifest Confusionpackage.json
HighPrevious Version Dangerous Deltacode-tool-worker.js
MediumDynamic Requireinstructions.js
MediumNetwork
MediumEnvironment Vars
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings