AI Security Review
scanned 2h ago · by lpm-firewall-aiThe default network service listens on all IPv4 interfaces. Its auth middleware marks `/` public, while the server treats POST `/` as an MCP RPC endpoint that invokes database-backed tools.
Static reason
One or more suspicious static signals were detected.
Trigger
Run `collab-mcp start` or import `src/index.js`; a remote client POSTs JSON-RPC to `/`.
Impact
Unauthenticated network clients can read or alter collaboration data and invoke commit synchronization; supplied credentials may also be written to server logs on protected routes.
Mechanism
authentication bypass for MCP tool invocation
Rationale
Source inspection confirms a remotely reachable authentication bypass and credential-bearing debug logging, so the package is unsafe to publish without remediation. No install-time execution, exfiltration, or stealth persistence establishes malicious intent.
Evidence
package.jsonsrc/config-store.jssrc/auth.jssrc/server.jssrc/tools.jssrc/database.jssrc/cli-autostart.jssrc/service-linux.jssrc/service-windows.jssrc/index.js~/.collab-mcp/config.json~/.collab-mcp/collab.db
Network endpoints1
0.0.0.0:3010/
Decision evidence
public snapshotAI called this Suspicious at 96.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `src/auth.js` exempts `/` from authentication.
- `src/server.js` accepts unauthenticated POST `/` as MCP JSON-RPC.
- `src/tools.js` exposes message, review, target, and commit-sync handlers.
- `src/config-store.js` defaults to `0.0.0.0:3010` with auth enabled.
- `src/auth.js` logs Authorization and X-API-Key header values when auth is checked.
- `src/database.js` runs git metadata collection for caller-controlled project roots.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- Service persistence is only behind explicit `collab-mcp autostart enable`.
- No external network endpoint or credential-exfiltration path was found.
- Shell execution is limited to a fixed `git log` command and OS-service helpers.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcesrc/cli-install.jsView file
114patternName = generic_password
severity = medium
line = 114
matchedText = console....rd);
Medium
src/service-windows.jsView file
12L13: const { execFileSync } = require('child_process');
L14: const fs = require('fs');
...
L30: fs.mkdirSync(wrapperDir(), { recursive: true });
L31: // bin/collab-mcp.js sits next to package.json in the install root; we
L32: // resolve via the package root so the wrapper works regardless of cwd.
L33: const pkgRoot = path.resolve(__dirname, '..');
L34: const scriptPath = path.join(pkgRoot, 'bin', 'collab-mcp.js');
...
L59: const taskXml = `<?xml version="1.0" encoding="UTF-16"?>
L60: <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
L61: <RegistrationInfo><Description>Collab MCP autostart</Description></RegistrationInfo>
...
L76: fs.writeFileSync(xmlPath, taskXml, 'utf16le');
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
src/service-windows.jsView on unpkg · L12src/cli-user.jsView file
63patternName = generic_password
severity = medium
line = 63
matchedText = console....rd);
Medium
93patternName = generic_password
severity = medium
line = 93
matchedText = console....rd);
Medium
Findings
6 Medium4 Low
MediumSecret Patternsrc/cli-install.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/service-windows.js
MediumSecret Patternsrc/cli-user.js
MediumSecret Patternsrc/cli-user.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings