registry  /  @perfscale/controlplane-mcp  /  0.2.0

@perfscale/controlplane-mcp@0.2.0

MCP server for the perfscale controlplane (perfscale.su / perfscale.ru): machines, tests, runs, metrics, audit

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior is present. At user-invoked runtime, the default composite server loads enabled MCP endpoints supplied by the Perfscale controlplane and forwards configured headers and tool calls to them.

Static reason
No blocking static signals were detected.
Trigger
User runs `perfscale-controlplane-mcp` with `PERFSCALE_API_TOKEN`; composite mode is on unless explicitly disabled.
Impact
A compromised or improperly configured admin-controlled remote MCP entry could receive its configured headers and gain an exposed tool-call path through the local MCP client.
Mechanism
Controlplane-configured remote MCP aggregation with header forwarding.
Rationale
No concrete malicious chain is found, but default aggregation of admin-configured third-party MCP endpoints with secret-header forwarding is a meaningful guarded agent-extension capability. Downgrade to warn rather than block because activation is user-invoked and there are no lifecycle hooks or unconsented foreign control-surface writes.
Evidence
package.jsondist/index.jsdist/client.jsdist/aggregator.jsdist/aggregator.d.tsdist/server.jsREADME.md
Network endpoints1
perfscale.su/api/v1/ai/mcp-servers/resolved

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/aggregator.js` fetches workspace-configured remote MCP definitions.
  • `dist/aggregator.js` connects to each enabled `remote.url` using configured secret headers.
  • `dist/aggregator.js` exposes and forwards calls to remote tool servers.
  • `dist/index.js` enables composite remote-server loading by default for the CLI.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • No filesystem writes, shell/process execution, eval, dynamic code loading, or local credential harvesting found.
  • `dist/client.js` reads only the explicit API-token and URL environment variables.
  • `dist/client.js` masks environment-variable values before returning them through MCP.
  • Remote resolution is documented and limited by the controlplane API's admin authorization path.
Behavioral surface
Source
EnvironmentVars
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 21.3 KB of source, external domains: perfscale.su

Source & flagged code

4 flagged · loading source
dist/aggregator.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/aggregator.js` fetches workspace-configured remote MCP definitions.

dist/aggregator.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/aggregator.js` connects to each enabled `remote.url` using configured secret headers.

dist/aggregator.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/aggregator.js` exposes and forwards calls to remote tool servers.

dist/aggregator.jsView on unpkg
dist/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/index.js` enables composite remote-server loading by default for the CLI.

dist/index.jsView on unpkg

Findings

5 Medium3 Low
MediumEnvironment Vars
MediumAi Review Evidencedist/aggregator.js
MediumAi Review Evidencedist/aggregator.js
MediumAi Review Evidencedist/aggregator.js
MediumAi Review Evidencedist/index.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings