AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User explicitly runs `seekrit mcp` and connects an MCP client with valid Seekrit credentials.
Impact
A connected or prompt-influenced agent could execute commands with decrypted secrets or persist them to a chosen local file.
Mechanism
MCP-mediated command execution and decrypted-secret file export.
Rationale
The package is a secrets-manager CLI and its network, environment, and child-process behavior is largely product-aligned. However, the explicit MCP server exposes arbitrary local command execution and secret-file export to an AI-agent control surface, warranting a warning for dangerous dual-use capability.
Evidence
package.jsondist/index.jsdist/mcp-ARBuneH3.js~/.config/seekrit/config.jsonseekrit.json
Network endpoints1
api.seekrit.dev
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/mcp-ARBuneH3.js` exposes an MCP `run` tool that spawns caller-selected commands with decrypted secrets in the environment.
- `dist/mcp-ARBuneH3.js` exposes a tool that writes decrypted secrets to a caller-selected file path.
- `dist/index.js` activates the MCP server only through explicit `seekrit mcp`; it is not install- or import-time.
- `dist/index.js` dynamically loads only its bundled `./mcp-ARBuneH3.js` for that command.
Evidence against
- `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
- `dist/index.js` uses `spawn(cmd,args)` for the explicit `seekrit run` command, not a hidden shell command.
- Network requests use the configured Seekrit API base URL, defaulting to `https://api.seekrit.dev`.
- No eval/vm/native loading, hidden downloader, foreign AI-agent config mutation, or unsolicited persistence was found.
- The flagged secret-looking strings are token/credential handling logic, not embedded credential values.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
1287patternName = private_key_openssh
severity = critical
line = 1287
matchedText = return `...\n`;
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/index.jsView on unpkg · L12871287patternName = private_key_openssh
severity = critical
line = 1287
matchedText = return `...\n`;
Critical
•matchType = previous_version_dangerous_delta
matchedPackage = @seekrit/cli@0.15.0
matchedIdentity = npm:QHNlZWtyaXQvY2xp:0.15.0
similarity = 0.500
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgFindings
2 Critical1 High2 Medium5 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
HighPrevious Version Dangerous Deltadist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License