AI Security Review
scanned 2h ago · by lpm-firewall-aiThe MCP server exposes `op_run`, an explicitly invoked arbitrary local command runner. It can resolve 1Password secrets into a child environment, making downstream disclosure possible through the chosen command.
Static reason
No blocking static signals were detected.
Trigger
A connected MCP client invokes the `op_run` tool with `command` or `argv` and optional `op://` environment values.
Impact
An authorized or compromised MCP client can run local commands and direct resolved secrets to files, processes, or network destinations.
Mechanism
MCP-controlled child-process execution with 1Password secret injection.
Rationale
The package shows no covert installation-time behavior or hidden payload, but it intentionally grants an MCP client arbitrary local command execution with resolved secrets. This is a real high-risk agent capability rather than evidence of malware.
Evidence
package.jsonbin/1password-mcp.jsdist/index.jsdist/config.jsdist/client.jsdist/secret-ref.jsdist/tools/op-run.js
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/tools/op-run.js` exposes an MCP tool that spawns arbitrary local commands.
- `op_run` resolves `op://` secrets and injects plaintext into child-process environment variables.
- `op_run` supports a shell-command mode; its own description notes secrets may reach files, network, child processes, and OS listings.
- `dist/config.js` can read a configured macOS Keychain token via `security find-generic-password`.
- No confirmation or command allowlist is enforced before `op_run` launches the requested process.
Evidence against
- `package.json` contains no preinstall, install, or postinstall lifecycle hook.
- `bin/1password-mcp.js` only imports `dist/index.js`; startup uses stdio MCP transport.
- No package source writes agent configs, persistence files, or filesystem payloads.
- No hidden network client or hard-coded runtime endpoint appears in inspected package code.
- Secret-reference vaults are checked against `OP_MCP_ALLOWED_VAULTS` before resolution.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcedist/tools/op-run.jsView file
•Published source reference
Medium
Ai Review Evidence
`dist/tools/op-run.js` exposes an MCP tool that spawns arbitrary local commands.
dist/tools/op-run.jsView on unpkgdist/config.jsView file
•Published source reference
Medium
Ai Review Evidence
`dist/config.js` can read a configured macOS Keychain token via `security find-generic-password`.
dist/config.jsView on unpkgFindings
6 Medium4 Low
MediumEnvironment Vars
MediumAi Review Evidencedist/tools/op-run.js
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidencedist/config.js
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings