registry  /  agent-hq-mcp  /  0.9.0

agent-hq-mcp@0.9.0

Local stdio MCP server that runs coding tasks through OpenCode or trusted CLI worker profiles.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `agent-hq register` or invokes MCP tools that start configured workers.
Impact
Can extend configured AI-agent hosts and execute user-configured worker CLIs with their configured credentials.
Mechanism
Prompted MCP-host registration and configured local process spawning.
Rationale
Source inspection found no concrete malicious behavior or install-time persistence, but it does provide explicit user-command AI-agent host mutation and local worker execution. Per policy, that warrants a non-blocking warning rather than a block.
Evidence
package.jsondist/server-main.jsdist/register-cli.jsdist/runners/process.jsdist/console-server.jsdist/secret-store.js~/.codex/config.toml~/.cursor/mcp.json~/.config/agent-hq/config.jsonc

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/register-cli.js` explicitly writes `~/.codex/config.toml` and `~/.cursor/mcp.json` after prompts.
  • `dist/runners/process.js` spawns configured external worker commands.
  • `dist/secret-store.js` can store and retrieve provider secrets through macOS Keychain.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • `dist/server-main.js` invokes registration only for the explicit `register` command.
  • `dist/register-cli.js` refuses non-TTY mutation and asks before each host write.
  • `dist/console-server.js` binds its HTTP console to `127.0.0.1` and authenticates requests with a random token.
  • No package code performs outbound HTTP requests; URL literals are configuration, help, or documentation references.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 67 file(s), 930 KB of source, external domains: alignment.anthropic.com, antigravity.google, arxiv.org, cursor.com, deepmind.google, opencode.ai, openrouter.ai, www.nature.com, www.w3.org

Source & flagged code

2 flagged · loading source
dist/console/fonts/archivo-variable-latin.woff2View file
path = dist/console/fonts/archivo-variable-latin.woff2 kind = high_entropy_blob sizeBytes = 34940 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/console/fonts/archivo-variable-latin.woff2View on unpkg
dist/console-server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = agent-hq-mcp@0.8.0 matchedIdentity = npm:YWdlbnQtaHEtbWNw:0.8.0 similarity = 0.524 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/console-server.jsView on unpkg

Findings

2 High3 Medium4 Low
HighShips High Entropy Blobdist/console/fonts/archivo-variable-latin.woff2
HighPrevious Version Dangerous Deltadist/console-server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings