registry  /  @tmail/mcp  /  1.0.12

@tmail/mcp@1.0.12

TMail MCP Server — Model Context Protocol server for TMail agent mail API

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs npx @tmail/mcp init <api_url> or configure, or invokes MCP tools after configuration
Impact
Can add a tmail MCP server block and AGENTS.md guidance; API calls go to user-configured TMAIL_API_URL with stored TMail session credentials
Mechanism
explicit AI agent MCP configuration and TMail API client
Rationale
Static inspection supports a warning for explicit user-command AI-agent config mutation, not a publish block. Scanner exfil/RCE hints appear to be noisy because secrets are posted only to the configured TMail API for package-aligned auth/mail operations and sensitive fields are sanitized from tool output.
Evidence
package.jsondist/cli.jsdist/index.jsREADME.mdagent-gate.mdAGENTS.md.gitignore.tmail/AGENT-GATE.md.tmail/host-lock.json.vscode/mcp.json.cursor/mcp.json.windsurf/mcp.json.codex/config.tomlopencode.json.zed/settings.json<TMAIL_MAIN_DIR>/<wallet_slug>/profile/session.json<TMAIL_MAIN_DIR>/<wallet_slug>/profile/e2ee.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli.js runInit/runConfigure explicitly merge tmail MCP blocks into many agent config paths
  • dist/cli.js patches project AGENTS.md with TMail gate instructions during init
  • dist/cli.js persists session.json/e2ee.json under TMAIL_MAIN_DIR after bind/login/E2EE tool calls
  • dist/cli.js uses user-provided TMAIL_API_URL for API calls and Authorization bearer headers
Evidence against
  • package.json has no install/preinstall/postinstall hooks; only prepublishOnly
  • Agent config mutation is behind explicit CLI subcommands init/configure, not import or install time
  • mergeTmailMcpConfig writes command npx -y @tmail/mcp with TMAIL env, not a remote payload
  • Network base URL comes from TMAIL_API_URL/init argument; no hardcoded exfil endpoint found
  • sanitizeForTool removes api_key/access_token/refresh_token/enc_priv_key_base64/passphrase from tool output
  • execSync is limited to zstd -d for local attachment decompression
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.90 MB of source, external domains: caniuse.com, datatracker.ietf.org, github.com, issues.chromium.org, json-schema.org, nvlpubs.nist.gov, opencode.ai, raw.githubusercontent.com

Source & flagged code

6 flagged · loading source
dist/index.jsView file
13import { gunzipSync } from "node:zlib"; L14: import { execSync } from "node:child_process"; L15: //#region \0rolldown/runtime.js
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L13
3692try { L3693: new Function(""); L3694: return true;
High
Eval

Package source references dynamic code evaluation.

dist/index.jsView on unpkg · L3692
36}) : target, mod)); L37: var __require = /* #__PURE__ */ (() => createRequire(import.meta.url))(); L38: //#endregion
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L36
dist/cli.jsView file
6import { stripVTControlCharacters } from "node:util"; L7: import y, { stdin, stdout } from "node:process"; L8: import "node:readline"; ... L12: import * as nc from "node:crypto"; L13: import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes, randomUUID } from "node:crypto"; L14: import { ZodOptional, z } from "zod"; L15: import { Http2ServerRequest, constants } from "http2"; L16: import { Readable } from "stream"; ... L19: import { gunzipSync } from "node:zlib"; L20: import { execSync } from "node:child_process"; L21: //#region \0rolldown/runtime.js ... L464: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L6
6Trigger-reachable chain: manifest.bin -> dist/cli.js L6: import { stripVTControlCharacters } from "node:util"; L7: import y, { stdin, stdout } from "node:process"; L8: import "node:readline"; ... L12: import * as nc from "node:crypto"; L13: import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes, randomUUID } from "node:crypto"; L14: import { ZodOptional, z } from "zod"; L15: import { Http2ServerRequest, constants } from "http2"; L16: import { Readable } from "stream"; ... L19: import { gunzipSync } from "node:zlib"; L20: import { execSync } from "node:child_process"; L21: //#region \0rolldown/runtime.js ... L464: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L6
6Cross-file remote execution chain: dist/cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L6: import { stripVTControlCharacters } from "node:util"; L7: import y, { stdin, stdout } from "node:process"; L8: import "node:readline"; ... L12: import * as nc from "node:crypto"; L13: import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes, randomUUID } from "node:crypto"; L14: import { ZodOptional, z } from "zod"; L15: import { Http2ServerRequest, constants } from "http2"; L16: import { Readable } from "stream"; ... L19: import { gunzipSync } from "node:zlib"; L20: import { execSync } from "node:child_process"; L21: //#region \0rolldown/runtime.js ... L464: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L6

Findings

2 Critical4 High4 Medium5 Low
CriticalCredential Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighChild Processdist/index.js
HighShell
HighEvaldist/index.js
HighCross File Remote Execution Contextdist/cli.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings