AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs npx dexe-mcp init or invokes MCP tools such as dexe_compile, IPFS upload, Safe propose, or tx send.
Impact
Can add first-party agent skills, store secrets in .env, clone/build DeXe-Protocol, upload to IPFS, or sign/broadcast/propose blockchain transactions when user configured credentials and invokes tools.
Mechanism
interactive MCP setup and DeXe governance tooling
Rationale
Source inspection supports a warning for explicit user-command agent extension setup and high-impact blockchain tooling, but not a publish block because there is no unconsented lifecycle mutation, exfiltration, remote payload execution, or stealth persistence. The scanner's dangerous delta maps to an interactive init workflow with prompts and package-owned files.
Evidence
package.jsondist/index.jsdist/cli/init.jsdist/bootstrap.jsdist/hardhat.jsdist/lib/ipfs.jsdist/lib/stateStore.jsdist/tools/safe.js.env./.claude/skills/<skill>/SKILL.md~/.claude/skills/<skill>/SKILL.md~/.dexe-mcp/state.jsonplatform cache/dexe-mcp/DeXe-Protocoltemporary dexe-mcp hardhat log files
Network endpoints7
api.pinata.cloud/data/testAuthenticationapi.pinata.cloud/pinning/pinJSONToIPFSapi.pinata.cloud/pinning/pinFileToIPFSgithub.com/dexe-network/DeXe-Protocol.gitapi.safe.global/tx-service/<shortname>/api/v2wss://relay.walletconnect.comapi.dexe.io
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- dist/cli/init.js offers explicit install of shipped Claude Code skills to ./.claude/skills or ~/.claude/skills.
- dist/cli/init.js writes a plaintext .env with RPC/JWT/private-key values after interactive prompts.
- dist/bootstrap.js can clone https://github.com/dexe-network/DeXe-Protocol.git and run npm install when build tools are invoked.
- dist/hardhat.js runs npm/hardhat commands only through registered MCP build/test tools.
Evidence against
- package.json has no install/preinstall/postinstall hooks; only prepublishOnly.
- dist/index.js loads .env and starts an MCP stdio server; CLI init/doctor require explicit argv subcommands.
- dist/cli/init.js says it prints a .claude.json snippet and does not auto-edit MCP host config.
- dist/lib/ipfs.js and dist/tools/safe.js network calls are package-aligned Pinata/IPFS/Safe/DeXe operations.
- No credential harvesting or exfiltration found; env/private key use supports user-requested signing/upload flows.
- Skill files are copied from packaged skills only, not fetched remotely.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/cli/init.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = dexe-mcp@0.15.0
matchedIdentity = npm:ZGV4ZS1tY3A:0.15.0
similarity = 0.940
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli/init.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/cli/init.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings