registry  /  agent-hq-mcp  /  0.10.3

agent-hq-mcp@0.10.3

Local stdio MCP server that runs coding tasks through OpenCode or trusted CLI worker profiles.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked local MCP/CLI orchestrator that can intentionally launch configured worker CLIs and run a token-protected loopback console.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs an agent-hq CLI command, explicitly registers it with an MCP host, or that registered host starts it.
Impact
Expected agent-orchestration capabilities; no install-time mutation, secret exfiltration, remote payload retrieval, or stealth persistence was confirmed.
Mechanism
Local daemon, configured worker-process spawning, and explicitly confirmed host registration.
Rationale
Source inspection shows sensitive actions are package-aligned and activated through explicit CLI/MCP use; MCP-host configuration writes are interactive and scoped to this package's own entry. No concrete malicious behavior was found.
Evidence
package.jsondist/server.jsdist/server-main.jsdist/console-server.jsdist/register-cli.jsdist/daemon-protocol.jsdist/daemon-service.jsdist/runners/process.jsdist/secret-store.js
Network endpoints1
127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall lifecycle hook.
    • `dist/server.js` executes only after a user/MCP invocation and loads `server-main` after a runtime check.
    • `dist/register-cli.js` requires interactive confirmation before modifying Claude, Codex, or Cursor MCP registration.
    • `dist/console-server.js` listens only on `127.0.0.1` and uses a random token.
    • No `fetch()` calls, eval/vm usage, native loading, or external HTTP endpoints were found in package JavaScript.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 73 file(s), 1.04 MB of source, external domains: 127.0.0.1, alignment.anthropic.com, antigravity.google, arxiv.org, cursor.com, deepmind.google, opencode.ai, openrouter.ai, www.nature.com, www.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/console/fonts/archivo-variable-latin.woff2View file
    path = dist/console/fonts/archivo-variable-latin.woff2 kind = high_entropy_blob sizeBytes = 34940 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    dist/console/fonts/archivo-variable-latin.woff2View on unpkg
    dist/daemon-service.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = agent-hq-mcp@0.10.2 matchedIdentity = npm:YWdlbnQtaHEtbWNw:0.10.2 similarity = 0.676 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/daemon-service.jsView on unpkg

    Findings

    2 High3 Medium4 Low
    HighShips High Entropy Blobdist/console/fonts/archivo-variable-latin.woff2
    HighPrevious Version Dangerous Deltadist/daemon-service.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings