registry  /  @synapsor/runner  /  0.1.3

@synapsor/runner@0.1.3

Stop giving AI agents execute_sql; expose reviewed Postgres/MySQL MCP actions with proposals, approval, writeback, and replay.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface from static source inspection. The package is a user-invoked MCP/database safety runner with local servers, config generation, database access, and writeback utilities gated by CLI commands, config, env vars, and approvals.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs synapsor-runner CLI commands such as mcp serve, mcp configure --write, apply, events webhook, or audit.
Impact
No evidence of unconsented execution, credential harvesting, exfiltration, persistence, destructive install behavior, or broad AI-agent control hijack.
Mechanism
user-invoked MCP runner and guarded database writeback tooling
Rationale
Scanner hits map to expected CLI capabilities for an MCP/database safety runner: child_process for user-requested helper/audit/open/docker actions, HTTP for local/authenticated MCP/UI and configured endpoints, and file writes for explicit config/export/store operations. With no lifecycle hooks or import-time behavior and no unconsented AI-agent config mutation, the package should be marked clean.
Evidence
package.jsondist/cli.jsdist/runner.mjs
Network endpoints5
synapsor.aigithub.com/synapsor-ai/synapsor-runner.git127.0.0.1:8787/synapsor/writeback127.0.0.1:8766/mcp127.0.0.1:8788/synapsor/events

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; only bin dist/cli.js and build/prepack/test scripts.
    • dist/cli.js only checks Node version and spawns bundled dist/runner.mjs with inherited stdio/env when user runs the CLI.
    • dist/runner.mjs HTTP/MCP listeners default to 127.0.0.1 and require bearer token env unless explicit localhost dev-no-auth is used.
    • MCP client config writes occur only via explicit mcp configure --write with destination and confirmation/--yes; no install-time agent config mutation.
    • Network calls are package-aligned: configured cloud baseUrl, local MCP/UI servers, user-supplied audit/webhook/handler URLs.
    • Secret handling is defensive: config validation rejects inline secrets/URLs in contracts and persistence paths redact/refuse secret-like values.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 6 file(s), 720 KB of source, external domains: 127.0.0.1

    Source & flagged code

    7 flagged · loading source
    dist/runner.mjsView file
    matchType = previous_version_dangerous_delta matchedPackage = @synapsor/runner@0.1.1 matchedIdentity = npm:QHN5bmFwc29yL3J1bm5lcg:0.1.1 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/runner.mjsView on unpkg
    4import fs3 from "node:fs/promises"; L5: import { spawn, spawnSync } from "node:child_process"; L6: import crypto5 from "node:crypto";
    High
    Child Process

    Package source references child process execution.

    dist/runner.mjsView on unpkg · L4
    4Detached bundled service listener: dist/runner.mjs launches a Node helper and exposes a broad-bound HTTP listener. L4: import fs3 from "node:fs/promises"; L5: import { spawn, spawnSync } from "node:child_process"; L6: import crypto5 from "node:crypto"; L7: import net from "node:net"; L8: import os from "node:os"; ... L322: }; L323: const response = await this.post("/v1/writeback/jobs/claim", body); L324: const jobs = Array.isArray(response.jobs) ? response.jobs : []; ... L382: }); L383: const payload = await response.json().catch(() => ({})); L384: if (response.ok && payload?.ok) { ... L2566: }
    High
    Spawned Bundled Service Listener

    Source launches a detached bundled service that exposes a broad-bound HTTP listener.

    dist/runner.mjsView on unpkg · L4
    10166async function dynamicImportModule(specifier) { L10167: const importer = new Function("specifier", "return import(specifier)"); L10168: return importer(specifier);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/runner.mjsView on unpkg · L10166
    10166async function dynamicImportModule(specifier) { L10167: const importer = new Function("specifier", "return import(specifier)"); L10168: return importer(specifier);
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/runner.mjsView on unpkg · L10166
    dist/cli.jsView file
    1Cross-file remote execution chain: dist/cli.js spawns dist/runner.mjs; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { spawnSync } from 'node:child_process'; L3: import { dirname, basename, join } from 'node:path'; ... L5: L6: const __dirname = dirname(fileURLToPath(import.meta.url)); L7: const invoked = basename(process.argv[1] || 'synapsor'); ... L15: stdio: 'inherit', L16: env: { ...process.env, NODE_NO_WARNINGS: '1', SYNAPSOR_RUNNER_COMMAND_NAME: commandName }, L17: });
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/cli.jsView on unpkg · L1
    examples/openai-agents-http/MakefileView file
    path = examples/openai-agents-http/Makefile kind = build_helper sizeBytes = 212 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    examples/openai-agents-http/MakefileView on unpkg

    Findings

    1 Critical4 High5 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/runner.mjs
    HighChild Processdist/runner.mjs
    HighShell
    HighCross File Remote Execution Contextdist/cli.js
    HighSpawned Bundled Service Listenerdist/runner.mjs
    MediumDynamic Requiredist/runner.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Build Helperexamples/openai-agents-http/Makefile
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvaldist/runner.mjs
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings