registry  /  @trustbaseai/collab-mcp  /  0.2.1

@trustbaseai/collab-mcp@0.2.1

Multi-AI collaboration MCP server - core communication layer

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The default network service listens on all IPv4 interfaces. Its auth middleware marks `/` public, while the server treats POST `/` as an MCP RPC endpoint that invokes database-backed tools.

Static reason
One or more suspicious static signals were detected.
Trigger
Run `collab-mcp start` or import `src/index.js`; a remote client POSTs JSON-RPC to `/`.
Impact
Unauthenticated network clients can read or alter collaboration data and invoke commit synchronization; supplied credentials may also be written to server logs on protected routes.
Mechanism
authentication bypass for MCP tool invocation
Rationale
Source inspection confirms a remotely reachable authentication bypass and credential-bearing debug logging, so the package is unsafe to publish without remediation. No install-time execution, exfiltration, or stealth persistence establishes malicious intent.
Evidence
package.jsonsrc/config-store.jssrc/auth.jssrc/server.jssrc/tools.jssrc/database.jssrc/cli-autostart.jssrc/service-linux.jssrc/service-windows.jssrc/index.js~/.collab-mcp/config.json~/.collab-mcp/collab.db
Network endpoints1
0.0.0.0:3010/

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `src/auth.js` exempts `/` from authentication.
  • `src/server.js` accepts unauthenticated POST `/` as MCP JSON-RPC.
  • `src/tools.js` exposes message, review, target, and commit-sync handlers.
  • `src/config-store.js` defaults to `0.0.0.0:3010` with auth enabled.
  • `src/auth.js` logs Authorization and X-API-Key header values when auth is checked.
  • `src/database.js` runs git metadata collection for caller-controlled project roots.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Service persistence is only behind explicit `collab-mcp autostart enable`.
  • No external network endpoint or credential-exfiltration path was found.
  • Shell execution is limited to a fixed `git log` command and OS-service helpers.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 92.0 KB of source, external domains: 127.0.0.1, schemas.microsoft.com, www.launchd.info

Source & flagged code

4 flagged · loading source
src/cli-install.jsView file
114patternName = generic_password severity = medium line = 114 matchedText = console....rd);
Medium
Secret Pattern

Package contains a possible secret pattern.

src/cli-install.jsView on unpkg · L114
src/service-windows.jsView file
12L13: const { execFileSync } = require('child_process'); L14: const fs = require('fs'); ... L30: fs.mkdirSync(wrapperDir(), { recursive: true }); L31: // bin/collab-mcp.js sits next to package.json in the install root; we L32: // resolve via the package root so the wrapper works regardless of cwd. L33: const pkgRoot = path.resolve(__dirname, '..'); L34: const scriptPath = path.join(pkgRoot, 'bin', 'collab-mcp.js'); ... L59: const taskXml = `<?xml version="1.0" encoding="UTF-16"?> L60: <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> L61: <RegistrationInfo><Description>Collab MCP autostart</Description></RegistrationInfo> ... L76: fs.writeFileSync(xmlPath, taskXml, 'utf16le');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/service-windows.jsView on unpkg · L12
src/cli-user.jsView file
63patternName = generic_password severity = medium line = 63 matchedText = console....rd);
Medium
Secret Pattern

Hardcoded password in src/cli-user.js

src/cli-user.jsView on unpkg · L63
93patternName = generic_password severity = medium line = 93 matchedText = console....rd);
Medium
Secret Pattern

Hardcoded password in src/cli-user.js

src/cli-user.jsView on unpkg · L93

Findings

6 Medium4 Low
MediumSecret Patternsrc/cli-install.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/service-windows.js
MediumSecret Patternsrc/cli-user.js
MediumSecret Patternsrc/cli-user.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings