AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the `signaliz-mcp` bin without `test` or `tools`.
Impact
A user-invoked command can persistently add a Signaliz MCP server to Claude Desktop, Cursor, or a project MCP config; the configured server runs when that client starts.
Mechanism
Explicit AI-agent MCP configuration mutation and remote package registration.
Rationale
Source inspection confirms an explicit-user-command AI-agent configuration mutation, which warrants a warning under the stated policy. No concrete exfiltration, destructive behavior, stealth persistence, or install-hook abuse was found.
Evidence
package.jsondist/mcp-config.mjsdist/index.mjsdist/chunk-WHD7INKU.mjsREADME.md~/Library/Application Support/Claude/claude_desktop_config.json.cursor/mcp.json.mcp/config.json
Network endpoints2
api.signaliz.com/functions/v1api.signaliz.com/token
Decision evidence
public snapshotAI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/mcp-config.mjs` defaults its CLI action to setup.
- Setup detects Claude Desktop or Cursor and rewrites MCP configuration.
- Generated entry launches `npx -y @signaliz/mcp-server@latest` with the supplied API key.
- The CLI writes the key into the selected MCP config file.
Evidence against
- `package.json` has only `prepublishOnly`; no install lifecycle hook.
- `dist/index.mjs` only re-exports SDK classes and has no import-time side effects.
- Config mutation requires explicit execution of the `signaliz-mcp` bin.
- Network calls are limited to declared `api.signaliz.com` service endpoints.
- No child-process API, eval, payload download, harvesting, or destructive operation was found.
Behavioral surface
EnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
1 flagged · loading sourcedist/mcp-config.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @signaliz/sdk@1.0.36
matchedIdentity = npm:QHNpZ25hbGl6L3Nkaw:1.0.36
similarity = 0.400
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/mcp-config.jsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/mcp-config.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings