registry  /  @validpilot/ai-verify-mcp  /  1.8.4

@validpilot/ai-verify-mcp@1.8.4

AI 编程验证平台。让 AI 代码生成结果可验证、可信赖。MCP 协议原生支持,证据驱动。

AI Security Review

scanned 2h ago · by lpm-firewall-ai

This is an explicit MCP browser-validation and project-repair tool, not an install-time payload. A connected MCP client can invoke browser JavaScript evaluation, target-site requests, project-file edits, and arbitrary shell commands through `atl_fix`.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit `ai-verify` CLI/server start followed by an MCP `atl_fix` or browser tool request; HTTP mode increases exposure if started without `MCP_API_KEY`.
Impact
A malicious or untrusted MCP client can execute commands and modify files with the user’s privileges; this is a dangerous dual-use capability.
Mechanism
Caller-controlled MCP command execution, browser evaluation, and file mutation.
Rationale
Source inspection does not support a malicious publish block. The exposed arbitrary command execution and unauthenticated optional HTTP mode are material dual-use risks, so downgrade to a warning.
Evidence
package.jsonbin/validpilot.jsserver.jshandlers/atl.jshandlers/browser.jstools/atl_fix.jsontools/browser_eval.jsonhandlers/correlate.jscore/redaction.js

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `handlers/atl.js` runs arbitrary caller-provided shell commands via `execSync` when `atl_fix` uses `fixType: command`.
  • `handlers/browser.js` exposes `browser_eval`, evaluating caller-provided JavaScript in the active browser page.
  • `server.js` HTTP mode accepts unauthenticated MCP requests when `MCP_API_KEY` is unset and listens without an explicit loopback host.
  • `server.js` begins with repeated U+FEFF bytes; abnormal formatting but no hidden executable branch was found.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall`; `prepublishOnly` runs only during publishing.
  • `bin/validpilot.js` starts services and browser actions only after explicit CLI commands.
  • Network fetches target user-supplied validation URLs; no package-controlled credential-exfiltration endpoint was found.
  • `core/redaction.js` redacts common secret-bearing fields before reported output.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 1.14 MB of source, external domains: evil.com, example.com, validpilot.com, www.w3.org

Source & flagged code

7 flagged · loading source
hands/deep_interactor.jsView file
190patternName = generic_password severity = medium line = 190 matchedText = password...er',
Medium
Secret Pattern

Package contains a possible secret pattern.

hands/deep_interactor.jsView on unpkg · L190
core/win-encoding.jsView file
15// 切换控制台代码页为 UTF-8 L16: require('child_process').execSync('chcp 65001', { stdio: 'ignore' }); L17: } catch (_) {
High
Child Process

Package source references child process execution.

core/win-encoding.jsView on unpkg · L15
5* L6: * 解决 PowerShell (GBK) 显示 Node.js UTF-8 输出时中文乱码的问题。 L7: * 在脚本入口处 require 即可生效。
High
Shell

Package source references shell execution.

core/win-encoding.jsView on unpkg · L5
server.jsView file
1contains invisible/control Unicode U+FEFF (zero width no-break space) <U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF><U+FEFF>
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

server.jsView on unpkg · L1
Trigger-reachable chain: manifest.main -> server.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

server.jsView on unpkg
matchType = previous_version_dangerous_delta matchedPackage = @validpilot/ai-verify-mcp@1.8.3 matchedIdentity = npm:[redacted]:1.8.3 similarity = 0.980 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server.jsView on unpkg
bin/validpilot.jsView file
5Cross-file remote execution chain: bin/validpilot.js spawns server.js; helper contains network access plus dynamic code execution. L5: const path = require('path'); L6: const { spawn } = require('child_process'); L7: const { validationQuickRun } = require('../hands/verification_runner'); ... L9: L10: const PKG = require('../package.json'); L11: ... L103: const resolved = path.resolve(flowPath); L104: const raw = JSON.parse(fs.readFileSync(resolved, 'utf8')); L105: ... L135: function startServer(script, extraEnv = {}) { L136: const child = spawn(process.execPath, [path.join(__dirname, '..', script)], { L137: stdio: 'inherit',
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/validpilot.jsView on unpkg · L5

Findings

3 Critical3 High4 Medium6 Low
CriticalTrojan Source Unicodeserver.js
CriticalTrigger Reachable Dangerous Capabilityserver.js
CriticalPrevious Version Dangerous Deltaserver.js
HighChild Processcore/win-encoding.js
HighShellcore/win-encoding.js
HighCross File Remote Execution Contextbin/validpilot.js
MediumSecret Patternhands/deep_interactor.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings