registry  /  @tmail/mcp  /  1.0.11

@tmail/mcp@1.0.11

TMail MCP Server — Model Context Protocol server for TMail agent mail API

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs tmail-mcp init/configure or invokes tmail_* MCP tools.
Impact
Can add a tmail MCP server block to supported project agent configs and store TMail session/E2EE/webhook data under .tmail after user-driven setup.
Mechanism
explicit MCP server setup plus TMail API client and local profile storage
Rationale
Because explicit-user-command agent config mutation and local credential storage are intentional MCP setup behavior but still touch AI-agent control surfaces, this warrants warning rather than blocking. No concrete malicious chain or unconsented install-time behavior was found.
Evidence
package.jsondist/cli.jsdist/index.jsREADME.mdagent-gate.mdskills/tmail-agent-setup/SKILL.md.tmail/AGENT-GATE.mdAGENTS.md.gitignore.tmail/host-lock.json.cursor/mcp.json.vscode/mcp.json.windsurf/mcp.json.codex/config.toml.tmail/<wallet_slug>/profile/session.json.tmail/<wallet_slug>/profile/meta.json.tmail/<wallet_slug>/profile/e2ee.json.tmail/<wallet_slug>/profile/webhook.json
Network endpoints2
user-supplied TMAIL_API_URLuser-supplied init <api_url>

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli.js init/configure can merge a tmail MCP block into many IDE/agent config paths under the project.
  • dist/cli.js runInit also writes .tmail/AGENT-GATE.md, patches AGENTS.md, and updates .gitignore.
  • dist/cli.js stores bind/login API credentials in .tmail/<wallet_slug>/profile/session.json after explicit MCP bind/login tools.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle; only prepublishOnly runs tests/build before publishing.
  • Config mutation is explicit user-command behavior: npx @tmail/mcp init/configure, often interactive or --host selected.
  • Network calls use user-provided TMAIL_API_URL/api_url and TMail API paths, not hardcoded exfiltration endpoints.
  • sanitizeForTool strips api_key, refresh_token, access_token, secrets, passphrase, and private key fields from tool output.
  • dist/cli.js rejects owner and bind-invite keys as persisted sub-agent session api_key values.
  • execSync is limited to local zstd decompression during user-invoked E2EE attachment decrypt.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.89 MB of source, external domains: caniuse.com, datatracker.ietf.org, github.com, issues.chromium.org, json-schema.org, nvlpubs.nist.gov, opencode.ai, raw.githubusercontent.com

Source & flagged code

6 flagged · loading source
dist/index.jsView file
13import { gunzipSync } from "node:zlib"; L14: import { execSync } from "node:child_process"; L15: //#region \0rolldown/runtime.js
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L13
3692try { L3693: new Function(""); L3694: return true;
High
Eval

Package source references dynamic code evaluation.

dist/index.jsView on unpkg · L3692
36}) : target, mod)); L37: var __require = /* #__PURE__ */ (() => createRequire(import.meta.url))(); L38: //#endregion
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L36
dist/cli.jsView file
6import { stripVTControlCharacters } from "node:util"; L7: import y, { stdin, stdout } from "node:process"; L8: import "node:readline"; ... L12: import * as nc from "node:crypto"; L13: import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes, randomUUID } from "node:crypto"; L14: import { ZodOptional, z } from "zod"; L15: import { Http2ServerRequest, constants } from "http2"; L16: import { Readable } from "stream"; ... L19: import { gunzipSync } from "node:zlib"; L20: import { execSync } from "node:child_process"; L21: //#region \0rolldown/runtime.js ... L464: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L6
6Trigger-reachable chain: manifest.bin -> dist/cli.js L6: import { stripVTControlCharacters } from "node:util"; L7: import y, { stdin, stdout } from "node:process"; L8: import "node:readline"; ... L12: import * as nc from "node:crypto"; L13: import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes, randomUUID } from "node:crypto"; L14: import { ZodOptional, z } from "zod"; L15: import { Http2ServerRequest, constants } from "http2"; L16: import { Readable } from "stream"; ... L19: import { gunzipSync } from "node:zlib"; L20: import { execSync } from "node:child_process"; L21: //#region \0rolldown/runtime.js ... L464: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L6
6Cross-file remote execution chain: dist/cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L6: import { stripVTControlCharacters } from "node:util"; L7: import y, { stdin, stdout } from "node:process"; L8: import "node:readline"; ... L12: import * as nc from "node:crypto"; L13: import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes, randomUUID } from "node:crypto"; L14: import { ZodOptional, z } from "zod"; L15: import { Http2ServerRequest, constants } from "http2"; L16: import { Readable } from "stream"; ... L19: import { gunzipSync } from "node:zlib"; L20: import { execSync } from "node:child_process"; L21: //#region \0rolldown/runtime.js ... L464: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L6

Findings

2 Critical4 High4 Medium5 Low
CriticalCredential Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighChild Processdist/index.js
HighShell
HighEvaldist/index.js
HighCross File Remote Execution Contextdist/cli.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings