registry  /  bitrouter-mcp  /  1.0.0-alpha.24

bitrouter-mcp@1.0.0-alpha.24

BitRouter origin MCP server: exposes complete/list_models/status over stdio and streamable HTTP.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install automatically fetches a native release artifact and extracts it into the package directory. Invoking the provided CLI executes that fetched artifact. The JavaScript wrapper does not establish credential theft or AI-agent configuration tampering.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install activates postinstall; `mcp-stdio-local` activates the downloaded binary.
Impact
A compromised or substituted release artifact would execute with the installing user's privileges.
Mechanism
remote native-binary download, extraction, and execution
Rationale
No concrete malicious behavior is present in the inspected JavaScript, but automatic download and later execution of an unverifiable opaque native artifact is a material supply-chain risk. Flag as warn rather than block because no evidence shows an active malicious payload or unconsented broad agent-control mutation.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-mcp-stdio-local.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/bitrouter/bitrouter/releases/download/v1.0.0-alpha.24

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `node ./install.js` as `postinstall`.
  • `binary.js` forms a GitHub-release artifact URL from manifest data.
  • `binary-install.js` downloads and extracts an opaque platform binary at install time.
  • `binary-install.js` later executes the downloaded binary via `spawnSync`.
  • No checksum, signature, or pinned artifact digest is verified before execution.
Evidence against
  • JS source only targets the package-local `node_modules/.bin_real` directory.
  • No source evidence of credential/env harvesting or exfiltration.
  • No source writes MCP/Claude/Cursor/OpenAI configuration.
  • Child processes are limited to archive extraction and the installed package binary.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 10.0 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings