registry  /  agent-hq-mcp  /  0.10.2

agent-hq-mcp@0.10.2

Local stdio MCP server that runs coding tasks through OpenCode or trusted CLI worker profiles.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `agent-hq hint`/`agent-hq hint --yes` or `agent-hq register`, then starts the configured MCP server.
Impact
Can persist package-owned guidance/hooks and MCP registrations in user agent configuration; worker execution is an intended but powerful capability.
Mechanism
Consent-gated AI-agent configuration writes and configured CLI process spawning.
Rationale
This is not malicious install-time behavior, but it has a real explicit-user-command AI-agent control-surface mutation capability. Per policy, that warrants a warning rather than a block.
Evidence
package.jsondist/server.jsdist/server-main.jsdist/hint-cli.jsdist/register-cli.jsdist/runners/process.jsdist/config.jsdist/console-server.jsdist/job-store.js~/.claude/settings.json~/.codex/AGENTS.md~/.cursor/mcp.json
Network endpoints1
127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/hint-cli.js` can write a Claude SessionStart hook and Codex guidance block.
  • `dist/register-cli.js` registers the server in Codex/Cursor/Claude MCP configuration.
  • `dist/runners/process.js` and `dist/job-store.js` spawn configured local worker CLIs.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • `dist/hint-cli.js` requires TTY confirmation unless the user explicitly passes `--yes`.
  • `dist/register-cli.js` refuses non-TTY mutation and prints snippets instead.
  • No remote fetch/exfiltration callsite was found; HTTP usage is local control traffic.
  • `dist/config.js` constrains job CWDs to configured allowed roots and rejects worker command paths inside them.
  • No `eval`, `Function`, VM use, native binary, or payload loader was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 70 file(s), 973 KB of source, external domains: 127.0.0.1, alignment.anthropic.com, antigravity.google, arxiv.org, cursor.com, deepmind.google, opencode.ai, openrouter.ai, www.nature.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/console/fonts/archivo-variable-latin.woff2View file
path = dist/console/fonts/archivo-variable-latin.woff2 kind = high_entropy_blob sizeBytes = 34940 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/console/fonts/archivo-variable-latin.woff2View on unpkg

Findings

1 High3 Medium4 Low
HighShips High Entropy Blobdist/console/fonts/archivo-variable-latin.woff2
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings