AI Security Review
scanned 2h ago · by lpm-firewall-aiThe MCP server exposes a caller-controlled arbitrary shell-command tool and arbitrary project-file modification tool. Its HTTP mode accepts tool calls without an API key unless the operator configures one.
Decision evidence
public snapshot- `tools/atl_fix.json` exposes a `command` repair mode and defaults `dryRun` to false.
- `handlers/atl.js` passes caller-supplied `command` directly to `execSync`.
- `handlers/atl.js` resolves and writes caller-selected code/config paths, including `.env` files.
- `server.js` registers `atl_fix` as an OSS MCP tool.
- `server.js` serves MCP calls without authentication when `MCP_API_KEY` is unset.
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
- No hard-coded exfiltration endpoint or credential-upload path was found.
- `core/redaction.js` redacts common credential values from captured output.
- No writes to Claude, Cursor, Windsurf, Copilot, or MCP client configuration were found.
- The repeated U+FEFF prefix in `server.js` is not a bidi control-flow payload.
Source & flagged code
6 flagged · loading sourcePackage contains a possible secret pattern.
hands/deep_interactor.jsView on unpkg · L190Package source references child process execution.
core/win-encoding.jsView on unpkg · L15Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
server.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
server.jsView on unpkgSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
bin/validpilot.jsView on unpkg · L5