registry  /  argusai-mcp  /  0.14.1

argusai-mcp@0.14.1

ArgusAI MCP server — expose E2E testing tools to AI coding agents via Model Context Protocol

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package is an MCP server that can control Docker-backed test resources. In explicit HTTP mode it listens on a network interface and leaves authentication optional, so a remotely reachable deployment could expose those user-project operations.

Static reason
No blocking static signals were detected.
Trigger
User starts `argusai-mcp` in HTTP mode without `--api-key` and exposes the selected port.
Impact
A network client may cause Docker and test actions in the server host's accessible project context.
Mechanism
Unauthenticated MCP tool calls can invoke project-configured Docker/test operations.
Rationale
Source inspection found no exfiltration, stealth, lifecycle mutation, or concrete malicious behavior. However, the optional-auth HTTP control plane exposes privileged Docker/test capabilities when deployed insecurely, constituting a real security risk rather than a clean package verdict.
Evidence
package.jsondist/index.jsdist/transports/http-transport.jsdist/server.jsdist/tools/setup.jsdist/tools/status.jsdist/tools/run.jsdist/session.jsdist/tools/mock-requests.jsdist/tools/init.jsdist/tools/clean.jsdist/tools/build.js
Network endpoints3
0.0.0.0:<port>/mcplocalhost:<port>/_mock/requestslocalhost:3000

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/index.js` enables HTTP mode via CLI or `MCP_MODE` and defaults host to `0.0.0.0`.
  • `dist/transports/http-transport.js` exposes MCP requests without authentication unless an API key is supplied.
  • `dist/tools/setup.js` runs Docker commands and starts configured containers after MCP tool invocation.
  • `dist/tools/status.js` invokes Docker inspection; `dist/tools/run.js` passes process environment to test execution.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • Entrypoint execution is user-invoked CLI/MCP server startup, not install-time or import-time payload execution.
  • Observed network URLs are localhost service/mock endpoints; no external collection or exfiltration endpoint appears in inspected code.
  • Docker subprocess calls use `execFile` argument arrays, with an explicit comment avoiding shell injection.
  • No `eval`, VM, credential harvesting, agent-config mutation, persistence, or destructive host-file behavior was found in inspected files.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 146 KB of source

Source & flagged code

4 flagged · loading source
dist/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/index.js` enables HTTP mode via CLI or `MCP_MODE` and defaults host to `0.0.0.0`.

dist/index.jsView on unpkg
dist/transports/http-transport.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/transports/http-transport.js` exposes MCP requests without authentication unless an API key is supplied.

dist/transports/http-transport.jsView on unpkg
dist/tools/setup.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/tools/setup.js` runs Docker commands and starts configured containers after MCP tool invocation.

dist/tools/setup.jsView on unpkg
dist/tools/status.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/tools/status.js` invokes Docker inspection; `dist/tools/run.js` passes process environment to test execution.

dist/tools/status.jsView on unpkg

Findings

6 Medium2 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/index.js
MediumAi Review Evidencedist/transports/http-transport.js
MediumAi Review Evidencedist/tools/setup.js
MediumAi Review Evidencedist/tools/status.js
LowScripts Present
LowHigh Entropy Strings