registry  /  evomcp  /  0.1.10

evomcp@0.1.10

Evolutionary MCP server — cheap-model fanout (best-of-N + repair chains) and scalar-fitness evolution, gated by dod-guard verification. Keeps token-burning out of the agent's main context.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User or AI client explicitly invokes the `solve` or `evolve` MCP tool.
Impact
A trusted MCP client can cause commands and generated patches to run in its chosen project; credentials are sent only to the configured local proxy or DeepSeek API path.
Mechanism
Agent-driven command execution and Git patch application with configured DeepSeek credentials.
Rationale
Source inspection shows a user-invoked agent automation package rather than concrete malware. Its broad command and patch capability warrants a warning as a dangerous capability.
Evidence
package.jsondist/bundle.js.mcp.json.claude-plugin/plugin.json~/.claude/backends.json$TMPDIR/evomcp-system-*.md$TMPDIR/evomcp-best-*.patch
Network endpoints2
127.0.0.1:3200api.deepseek.com/anthropic

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/bundle.js` exposes MCP `solve`/`evolve` tools that invoke `claude -p` and caller-supplied verification/fitness commands.
  • `dist/bundle.js` reads `~/.claude/backends.json` and `DEEPSEEK_API_KEY`, then supplies the key to a local proxy or `api.deepseek.com`.
  • `dist/bundle.js` applies generated patches with `git apply` in the requested working directory.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
  • `.mcp.json` only declares a first-party MCP server command and does not mutate agent configuration.
  • Network and command execution occur only after explicit MCP tool calls; no import-time execution or stealth persistence was found.
  • No unrelated endpoint, credential harvesting beyond configured DeepSeek credentials, or destructive payload was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 746 KB of source, external domains: 127.0.0.1, api.deepseek.com, github.com, json-schema.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/bundle.jsView file
21100// src/agent.ts L21101: import { execSync, spawn } from "node:child_process"; L21102: import * as fs from "node:fs";
High
Child Process

Package source references child process execution.

dist/bundle.jsView on unpkg · L21100
21090const json = serializeMessage(message); L21091: if (this._stdout.write(json)) { L21092: resolve2(); ... L21100: // src/agent.ts L21101: import { execSync, spawn } from "node:child_process"; L21102: import * as fs from "node:fs"; ... L21104: import * as path from "node:path"; L21105: var PROXY_URL = "http://127.0.0.1:3200"; L21106: var DEEPSEEK_ANTHROPIC_ENDPOINT = "https://api.deepseek.com/anthropic";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bundle.jsView on unpkg · L21090
2941sourceCode = this.opts.code.process(sourceCode, sch); L2942: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2943: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/bundle.jsView on unpkg · L2941

Findings

3 High2 Medium6 Low
HighChild Processdist/bundle.js
HighShell
HighCommand Output Exfiltrationdist/bundle.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/bundle.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings