registry  /  dexe-mcp  /  0.14.0

dexe-mcp@0.14.0

MCP server for the DeXe Protocol — full DAO operations coverage: deploy DAOs, build every proposal type, IPFS metadata, stake/vote/delegate/execute/claim calldata. Plus dev tooling (build/test/introspect/decode).

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs npx dexe-mcp init or invokes MCP tools such as dexe_compile, IPFS upload, Safe propose, or tx send.
Impact
Can add first-party agent skills, store secrets in .env, clone/build DeXe-Protocol, upload to IPFS, or sign/broadcast/propose blockchain transactions when user configured credentials and invokes tools.
Mechanism
interactive MCP setup and DeXe governance tooling
Rationale
Source inspection supports a warning for explicit user-command agent extension setup and high-impact blockchain tooling, but not a publish block because there is no unconsented lifecycle mutation, exfiltration, remote payload execution, or stealth persistence. The scanner's dangerous delta maps to an interactive init workflow with prompts and package-owned files.
Evidence
package.jsondist/index.jsdist/cli/init.jsdist/bootstrap.jsdist/hardhat.jsdist/lib/ipfs.jsdist/lib/stateStore.jsdist/tools/safe.js.env./.claude/skills/<skill>/SKILL.md~/.claude/skills/<skill>/SKILL.md~/.dexe-mcp/state.jsonplatform cache/dexe-mcp/DeXe-Protocoltemporary dexe-mcp hardhat log files
Network endpoints7
api.pinata.cloud/data/testAuthenticationapi.pinata.cloud/pinning/pinJSONToIPFSapi.pinata.cloud/pinning/pinFileToIPFSgithub.com/dexe-network/DeXe-Protocol.gitapi.safe.global/tx-service/<shortname>/api/v2wss://relay.walletconnect.comapi.dexe.io

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/cli/init.js offers explicit install of shipped Claude Code skills to ./.claude/skills or ~/.claude/skills.
  • dist/cli/init.js writes a plaintext .env with RPC/JWT/private-key values after interactive prompts.
  • dist/bootstrap.js can clone https://github.com/dexe-network/DeXe-Protocol.git and run npm install when build tools are invoked.
  • dist/hardhat.js runs npm/hardhat commands only through registered MCP build/test tools.
Evidence against
  • package.json has no install/preinstall/postinstall hooks; only prepublishOnly.
  • dist/index.js loads .env and starts an MCP stdio server; CLI init/doctor require explicit argv subcommands.
  • dist/cli/init.js says it prints a .claude.json snippet and does not auto-edit MCP host config.
  • dist/lib/ipfs.js and dist/tools/safe.js network calls are package-aligned Pinata/IPFS/Safe/DeXe operations.
  • No credential harvesting or exfiltration found; env/private key use supports user-requested signing/upload flows.
  • Skill files are copied from packaged skills only, not fetched remotely.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 85 file(s), 876 KB of source, external domains: api.beta.dexe.io, api.dexe.io, api.pinata.cloud, api.qrserver.com, api.safe.global, api.tally.xyz, app.pinata.cloud, avatars.githubusercontent.com, bsc-dataseed.binance.org, bsc-dataseed.bnbchain.org, chainlist.org, cloud.reown.com, data-seed-prebsc-1-s1.bnbchain.org, dweb.link, gateway.pinata.cloud, gateway.thegraph.com, git-scm.com, github.com, ipfs.io, nodejs.org, www.w3.org, x.com

Source & flagged code

1 flagged · loading source
dist/cli/init.jsView file
matchType = previous_version_dangerous_delta matchedPackage = dexe-mcp@0.15.0 matchedIdentity = npm:ZGV4ZS1tY3A:0.15.0 similarity = 0.940 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/init.jsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/cli/init.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings