registry  /  @validpilot/ai-verify-mcp  /  1.8.3

@validpilot/ai-verify-mcp@1.8.3

AI 编程验证平台。让 AI 代码生成结果可验证、可信赖。MCP 协议原生支持,证据驱动。

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The MCP server exposes a caller-controlled arbitrary shell-command tool and arbitrary project-file modification tool. Its HTTP mode accepts tool calls without an API key unless the operator configures one.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
An MCP client invokes `atl_fix` with `fixType: "command"` and `dryRun: false`, or reaches an unauthenticated HTTP MCP instance.
Impact
Commands run with the server process privileges; selected files may be overwritten or backed up.
Mechanism
Caller-supplied shell execution and filesystem mutation.
Rationale
The package is not malware by source evidence, but it provides an unguarded arbitrary-command capability to MCP callers and can be exposed through an optionally unauthenticated HTTP server. This warrants a warning rather than a publication block.
Evidence
handlers/atl.jstools/atl_fix.jsonserver.jspackage.jsoncore/redaction.js
Network endpoints1
localhost:3456/health

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `tools/atl_fix.json` exposes a `command` repair mode and defaults `dryRun` to false.
  • `handlers/atl.js` passes caller-supplied `command` directly to `execSync`.
  • `handlers/atl.js` resolves and writes caller-selected code/config paths, including `.env` files.
  • `server.js` registers `atl_fix` as an OSS MCP tool.
  • `server.js` serves MCP calls without authentication when `MCP_API_KEY` is unset.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
  • No hard-coded exfiltration endpoint or credential-upload path was found.
  • `core/redaction.js` redacts common credential values from captured output.
  • No writes to Claude, Cursor, Windsurf, Copilot, or MCP client configuration were found.
  • The repeated U+FEFF prefix in `server.js` is not a bidi control-flow payload.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 1.14 MB of source, external domains: evil.com, example.com, validpilot.com, www.w3.org

Source & flagged code

6 flagged · loading source
hands/deep_interactor.jsView file
190patternName = generic_password severity = medium line = 190 matchedText = password...er',
Medium
Secret Pattern

Package contains a possible secret pattern.

hands/deep_interactor.jsView on unpkg · L190
core/win-encoding.jsView file
15// 切换控制台代码页为 UTF-8 L16: require('child_process').execSync('chcp 65001', { stdio: 'ignore' }); L17: } catch (_) {
High
Child Process

Package source references child process execution.

core/win-encoding.jsView on unpkg · L15
5* L6: * 解决 PowerShell (GBK) 显示 Node.js UTF-8 输出时中文乱码的问题。 L7: * 在脚本入口处 require 即可生效。
High
Shell

Package source references shell execution.

core/win-encoding.jsView on unpkg · L5
server.jsView file
1contains invisible/control Unicode U+FEFF (zero width no-break space) <U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF>
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

server.jsView on unpkg · L1
Trigger-reachable chain: manifest.main -> server.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

server.jsView on unpkg
bin/validpilot.jsView file
5Cross-file remote execution chain: bin/validpilot.js spawns server.js; helper contains network access plus dynamic code execution. L5: const path = require('path'); L6: const { spawn } = require('child_process'); L7: const { validationQuickRun } = require('../hands/verification_runner'); ... L9: L10: const PKG = require('../package.json'); L11: ... L103: const resolved = path.resolve(flowPath); L104: const raw = JSON.parse(fs.readFileSync(resolved, 'utf8')); L105: ... L135: function startServer(script, extraEnv = {}) { L136: const child = spawn(process.execPath, [path.join(__dirname, '..', script)], { L137: stdio: 'inherit',
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/validpilot.jsView on unpkg · L5

Findings

2 Critical3 High4 Medium6 Low
CriticalTrojan Source Unicodeserver.js
CriticalTrigger Reachable Dangerous Capabilityserver.js
HighChild Processcore/win-encoding.js
HighShellcore/win-encoding.js
HighCross File Remote Execution Contextbin/validpilot.js
MediumSecret Patternhands/deep_interactor.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings