registry  /  @softawarest/token-optimizer-installer  /  1.10.5

@softawarest/token-optimizer-installer@1.10.5

One-command installer for the Token Optimizer MCP server, skills, plugins, gateway config, and default-on instructions.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This package is an explicit installer for a first-party token_optimizer MCP server and agent plugins. It mutates multiple AI-agent config surfaces and installs default-on instructions, but only after the user runs its bin command.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs token-optimizer/npx installer, then the configured MCP server is launched by an AI client or a user invokes its MCP tools.
Impact
Adds an AI-agent extension with shell-command capability and optional LLM/gateway analytics; risky but not confirmed malicious without lifecycle stealth or exfiltration.
Mechanism
explicit agent plugin/MCP setup with runtime dependency install and command-running MCP tools
Rationale
Source inspection shows a high-risk AI-agent extension installer with explicit config mutation and command-execution capabilities, but activation is user-invoked and package-aligned rather than a stealth npm lifecycle attack. This fits warn/suspicious under the install-control-surface policy, not publish block.
Evidence
package.jsonbin/token-optimizer.jslib/install-core.jsassets/plugin/antigravity/server/start.jsassets/plugin/cursor/server/runner.jsassets/plugin/cursor/server/llm.jsassets/plugin/cursor/server/analytics.js~/.config/opencode/token-optimizer-server~/.config/opencode/skills/token-optimizer~/.config/opencode/opencode.jsonc~/.cursor/token-optimizer-server~/.cursor/mcp.json<cursor-project>/.cursor/rules/token-optimizer.mdc~/.gemini/config/plugins/token-optimizer~/.gemini/config/mcp_config.json~/.claude/settings.json~/.claude/skills/token-optimizer~/.codex/config.toml~/.codex/skills/token-optimizer~/.token-optimizer/plugin/codex~/.token-optimizer-mcp/backups<workspace>/.codex-local-test-runs
Network endpoints4
llm-proxy.lnf.gr/v1localhost:8080/v1${LLM_GATEWAY_URL}/analytics${provider.apiUrl}/chat/completions

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/token-optimizer.js exposes only user-invoked install/config/defaults commands; no package.json lifecycle hook.
  • lib/install-core.js writes MCP/plugin config for Claude, Codex, Gemini/Antigravity, OpenCode, and Cursor under user home.
  • lib/install-core.js appends default-on agent instructions telling clients to use token_optimizer tools.
  • assets/plugin/*/server/start.js runs npm install into a plugin-owned .data cache on first MCP server launch.
  • assets/plugin/*/server/runner.js exposes MCP tools that execute shell commands in caller-supplied workspaces.
  • assets/plugin/*/server/analytics.js can share sanitized analytics to configured LLM gateway when token env is present.
Evidence against
  • package.json has no preinstall/install/postinstall scripts, so npm install itself does not mutate agent configs.
  • Config mutation is activated by explicit bin command, not import-time or lifecycle execution.
  • Network use is package-aligned LLM/gateway traffic via configured env/defaults; no hidden download URL or arbitrary remote payload execution found.
  • Runtime npm install uses bundled server/package.json with only @modelcontextprotocol/sdk dependency, not dynamic package names.
  • No code found harvesting broad credentials or recursively exfiltrating files; analytics record omits raw content and workspace paths before sharing.
  • MCP command execution is exposed as named user-invoked tools rather than automatic persistence/destructive behavior.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 42 file(s), 558 KB of source, external domains: llm-proxy.lnf.gr

Source & flagged code

5 flagged · loading source
lib/install-core.jsView file
3const path = require("path"); L4: const { execFileSync } = require("child_process"); L5:
High
Child Process

Package source references child process execution.

lib/install-core.jsView on unpkg · L3
3const path = require("path"); L4: const { execFileSync } = require("child_process"); L5: L6: const DEFAULT_GATEWAY_URL = "https://llm-proxy.lnf.gr/v1"; L7: const DEFAULT_LOCAL_LLM_URL = "http://localhost:8080/v1"; ... L94: function installerPaths(options = {}) { L95: const home = path.resolve(options.home || process.env.HOME || os.homedir()); L96: const installRoot = path.resolve(options.installRoot || path.join(home, ".token-optimizer")); ... L267: } L268: applyLaunchctlValues(values, options); L269: } ... L426: function readJsonFile(filePath) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

lib/install-core.jsView on unpkg · L3
assets/plugin/cursor/server/start.jsView file
46const result = process.platform === "win32" L47: ? spawnSync("npm " + npmArgs.join(" "), { cwd: data, stdio: ["ignore", 2, 2], shell: true }) L48: : spawnSync("npm", npmArgs, { cwd: data, stdio: ["ignore", 2, 2] }); ... L53: if (!dependenciesResolve()) { L54: console.error("token-optimizer launcher: runtime dependencies remain invalid after npm install in " + data); L55: process.exit(1);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

assets/plugin/cursor/server/start.jsView on unpkg · L46
assets/plugin/cursor/server/start.shView file
path = [redacted].sh kind = build_helper sizeBytes = 152 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/plugin/cursor/server/start.shView on unpkg
assets/plugin/antigravity/server/start.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @softawarest/token-optimizer-installer@1.9.3 matchedIdentity = npm:[redacted]:1.9.3 similarity = 0.762 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

assets/plugin/antigravity/server/start.jsView on unpkg

Findings

1 Critical2 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltaassets/plugin/antigravity/server/start.js
HighChild Processlib/install-core.js
HighRuntime Package Installassets/plugin/cursor/server/start.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencelib/install-core.js
MediumShips Build Helperassets/plugin/cursor/server/start.sh
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License