AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `systemdox-mcp-server setup`, enters an API key, and chooses one or more targets.
Impact
Selected MCP clients load the package through npx and retain the entered API key in their configuration.
Mechanism
Explicit AI-agent configuration mutation and authenticated SystemDox API client.
Rationale
No concrete malicious install-time or covert behavior was found. Warn because an explicit command modifies AI-agent configs and stores a credential in selected config files.
Evidence
package.jsondist/cli.jsdist/lib/api-client.jsdist/index.jsREADME.md<cwd>/.mcp.json~/.claude.json<cwd>/.cursor/mcp.json<cwd>/.vscode/mcp.json~/.cursor/mcp.json
Network endpoints1
api.puglieseweb.com/systemdox
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli.js` `setup` explicitly writes MCP entries to project and user AI-tool config files.
- The written entry embeds the prompted `SYSTEMDOX_API_KEY` and launches `npx @systemdox/mcp-server`.
- `dist/lib/api-client.js` sends that API key to the configured SystemDox API using authorization headers.
Evidence against
- `package.json` has only `prepublishOnly`; there are no install-time lifecycle hooks.
- Config mutation runs only after the user invokes `systemdox-mcp-server setup` and selects targets.
- No child-process execution, dynamic code evaluation, arbitrary file harvesting, or hidden persistence was found.
- Network behavior targets the documented SystemDox API and exposes MCP read/write tools.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/http.jsView file
58if (!res.ok) {
L59: const body = await res.text();
L60: throw new Error(`SystemDox API error ${res.status}: ${body}`);
...
L73: const url = this.buildUrl(path);
L74: const res = await fetch(url, {
L75: method,
...
L82: },
L83: body: JSON.stringify(body)
L84: });
...
L1653: apiKey,
L1654: apiUrl: process.env.SYSTEMDOX_API_URL ?? "https://api.puglieseweb.com/systemdox",
L1655: cacheTtlMs: 0,
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/http.jsView on unpkg · L5858Trigger-reachable chain: manifest.exports -> dist/http.js
L58: if (!res.ok) {
L59: const body = await res.text();
L60: throw new Error(`SystemDox API error ${res.status}: ${body}`);
...
L73: const url = this.buildUrl(path);
L74: const res = await fetch(url, {
L75: method,
...
L82: },
L83: body: JSON.stringify(body)
L84: });
...
L1653: apiKey,
L1654: apiUrl: process.env.SYSTEMDOX_API_URL ?? "https://api.puglieseweb.com/systemdox",
L1655: cacheTtlMs: 0,
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/http.jsView on unpkg · L58Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/http.js
CriticalTrigger Reachable Dangerous Capabilitydist/http.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings