AI Security Review
scanned 9h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User explicitly runs the `signaliz-mcp` executable, including with no subcommand.
Impact
Persists a third-party MCP server entry in a detected AI-client or project MCP config; the registered server is fetched at later agent startup.
Mechanism
CLI writes an MCP server registration and API-key environment variable.
Rationale
Source inspection confirms a real explicit CLI AI-agent configuration write and an unpinned MCP-server registration. It does not show install-time execution, stealthy persistence, credential harvesting, or exfiltration beyond normal authenticated Signaliz API requests.
Evidence
package.jsondist/mcp-config.mjsdist/chunk-XRSWZ62S.mjsREADME.md~/Library/Application Support/Claude/claude_desktop_config.json.cursor/mcp.json.mcp/config.json
Network endpoints2
api.signaliz.com/functions/v1api.signaliz.com/token
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/mcp-config.mjs` is an executable bin that defaults to setup.
- Explicit CLI setup writes MCP config for Claude Desktop, Cursor, or `.mcp/config.json`.
- Written config registers `@signaliz/mcp-server@latest` via `npx` and stores the provided API key.
- SDK sends caller-supplied credentials and requests to `api.signaliz.com`.
Evidence against
- `package.json` has no preinstall/install/postinstall hook; only `prepublishOnly` builds.
- Config mutation occurs only when the user runs `signaliz-mcp`; package import does not invoke it.
- No child-process API, eval/vm/Function, native loading, destructive deletion, or unrelated endpoint was found.
- Network code is a conventional authenticated SDK client targeting Signaliz API endpoints.
Behavioral surface
EnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
1 flagged · loading sourcedist/mcp-config.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @signaliz/sdk@1.0.25
matchedIdentity = npm:QHNpZ25hbGl6L3Nkaw:1.0.25
similarity = 0.400
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/mcp-config.jsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/mcp-config.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings