registry  /  @retasc/cli  /  1.2.1

@retasc/cli@1.2.1

Retasc CLI — sign in with GitHub, create projects, mint agent API keys, and wire your agent to the Retasc MCP server in one command.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `retasc init`, `retasc bind`, `retasc mcp install`, or `retasc gate install`.
Impact
Adds Retasc agent access for the current workspace and can create requested repository gate files.
Mechanism
Local MCP configuration and user-invoked Git integration.
Rationale
No malicious install-time or stealth behavior was found. Because it deliberately configures an AI-agent MCP surface on explicit user commands, retain a non-blocking warning classification.
Evidence
package.jsondist/commands/mcp.jsdist/commands/bind.jsdist/proxy.jsdist/commands/gate.jsdist/config.jsdist/lib/keystore.js./.mcp.json~/.retasc/config.json~/.retasc/bindings.json.githooks/commit-msg.github/workflows/check-commit-message.yml
Network endpoints4
mcp.retasc.com/mcpunique-lyrebird-934.convex.cloudgithub.com/login/device/codegithub.com/login/oauth/access_token

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/mcp.js` runs `claude mcp add` and otherwise writes `./.mcp.json` on explicit install/bind flows.
  • `dist/proxy.js` forwards MCP JSON-RPC using a workspace key and can be spawned by an MCP harness.
  • `dist/commands/gate.js` explicitly writes a Git hook and GitHub Action when `retasc gate install` is invoked.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; `prepublishOnly` only builds before publishing.
  • `dist/commands/mcp.js` refuses global `--scope user` and downgrades it to local scope.
  • `dist/config.js` and `dist/lib/keystore.js` store package credentials under `~/.retasc` with mode `0600`.
  • Network use is package-aligned: GitHub device login, Retasc Convex management, and the Retasc MCP endpoint.
  • No eval, dynamic code loading, shell interpolation, arbitrary command execution, or unexplained exfiltration was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 101 KB of source, external domains: github.com, mcp.retasc.com, unique-lyrebird-934.convex.cloud

Source & flagged code

3 flagged · loading source
dist/commands/mcp.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/commands/mcp.js` runs `claude mcp add` and otherwise writes `./.mcp.json` on explicit install/bind flows.

dist/commands/mcp.jsView on unpkg
dist/proxy.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/proxy.js` forwards MCP JSON-RPC using a workspace key and can be spawned by an MCP harness.

dist/proxy.jsView on unpkg
dist/commands/gate.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/commands/gate.js` explicitly writes a Git hook and GitHub Action when `retasc gate install` is invoked.

dist/commands/gate.jsView on unpkg

Findings

5 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/commands/mcp.js
MediumAi Review Evidencedist/proxy.js
MediumAi Review Evidencedist/commands/gate.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings