AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the `signaliz-mcp` package bin without `test` or `tools`.
Impact
A later MCP-client launch may execute the latest `@signaliz/mcp-server` and exposes the user-provided API key to that configured server.
Mechanism
Interactive MCP config write with a deferred `npx` server command.
Rationale
This is explicit-user-command AI-agent configuration mutation with a deferred latest-version `npx` execution path, so it warrants a warning. The inspected source contains no concrete malicious chain or unconsented install-time mutation.
Evidence
package.jsondist/mcp-config.mjsdist/chunk-4LXMT3S5.mjsdist/index.mjs~/Library/Application Support/Claude/claude_desktop_config.json./.cursor/mcp.json./.mcp/config.json
Network endpoints2
api.signaliz.com/functions/v1api.signaliz.com/token
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/mcp-config.mjs` is an executable package bin that writes MCP client configuration.
- Default bin execution detects Claude Desktop and writes `mcpServers.signaliz` to its config.
- Written config runs `npx -y @signaliz/mcp-server@latest`, allowing later remote package resolution.
- The CLI stores the supplied `SIGNALIZ_API_KEY` in the generated MCP config.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- Configuration mutation occurs only when the user invokes `signaliz-mcp`; importing `dist/index.mjs` only exports SDK classes.
- SDK network calls are credentialed requests to `api.signaliz.com`, matching the package service.
- No child-process execution, eval/vm use, harvesting, destructive actions, or stealth persistence was found in inspected files.
Behavioral surface
EnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
1 flagged · loading sourcedist/mcp-config.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @signaliz/sdk@1.0.38
matchedIdentity = npm:QHNpZ25hbGl6L3Nkaw:1.0.38
similarity = 0.400
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/mcp-config.jsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/mcp-config.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings