registry  /  @signaliz/sdk  /  1.0.38

@signaliz/sdk@1.0.38

Signaliz SDK for Find Email, Verify Email, Company Signal Enrichment, and Signal to Copy AI.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User explicitly runs the `signaliz-mcp` bin without `test` or `tools`.
Impact
Adds a remotely resolved MCP server command to a detected agent configuration; later agent startup may execute it with the stored Signaliz credential.
Mechanism
user-invoked AI-agent MCP configuration write
Rationale
Source inspection confirms explicit user-command mutation of AI-agent configuration, not install-time or covert malicious behavior. Per policy this is a warn-level agent capability risk, not a publish-block condition.
Evidence
package.jsondist/mcp-config.mjsdist/chunk-ZIYVY22X.mjsdist/index.mjs~/Library/Application Support/Claude/claude_desktop_config.json.cursor/mcp.json.mcp/config.json
Network endpoints2
api.signaliz.com/functions/v1api.signaliz.com/token

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/mcp-config.mjs` runs when the `signaliz-mcp` bin is explicitly invoked.
  • Its default setup writes an MCP server entry into Claude, Cursor, or local `.mcp` configuration.
  • The generated entry runs `npx -y @signaliz/mcp-server@latest` and passes the supplied API key.
  • Runtime SDK requests send configured credentials and caller-provided API payloads to `api.signaliz.com`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook; `prepublishOnly` only builds before publishing.
  • `dist/index.mjs` has no import-time side effect; the only top-level invocation is the MCP CLI's `main()`.
  • No child-process execution, eval/vm usage, shell invocation, credential harvesting, or unrelated file collection was found.
  • Network traffic is limited to the package-aligned Signaliz API and token endpoints.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 144 KB of source, external domains: api.signaliz.com

Source & flagged code

1 flagged · loading source
dist/mcp-config.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @signaliz/sdk@1.0.37 matchedIdentity = npm:QHNpZ25hbGl6L3Nkaw:1.0.37 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/mcp-config.jsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/mcp-config.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings