AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior is present. At user-invoked runtime, the default composite server loads enabled MCP endpoints supplied by the Perfscale controlplane and forwards configured headers and tool calls to them.
Decision evidence
public snapshot- `dist/aggregator.js` fetches workspace-configured remote MCP definitions.
- `dist/aggregator.js` connects to each enabled `remote.url` using configured secret headers.
- `dist/aggregator.js` exposes and forwards calls to remote tool servers.
- `dist/index.js` enables composite remote-server loading by default for the CLI.
- `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
- No filesystem writes, shell/process execution, eval, dynamic code loading, or local credential harvesting found.
- `dist/client.js` reads only the explicit API-token and URL environment variables.
- `dist/client.js` masks environment-variable values before returning them through MCP.
- Remote resolution is documented and limited by the controlplane API's admin authorization path.
Source & flagged code
4 flagged · loading source`dist/aggregator.js` fetches workspace-configured remote MCP definitions.
dist/aggregator.jsView on unpkg`dist/aggregator.js` connects to each enabled `remote.url` using configured secret headers.
dist/aggregator.jsView on unpkg`dist/aggregator.js` exposes and forwards calls to remote tool servers.
dist/aggregator.jsView on unpkg`dist/index.js` enables composite remote-server loading by default for the CLI.
dist/index.jsView on unpkg