registry  /  evomcp  /  0.1.6

evomcp@0.1.6

Evolutionary MCP server — cheap-model fanout (best-of-N + repair chains) and scalar-fitness evolution, gated by dod-guard verification. Keeps token-burning out of the agent's main context.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User configures and invokes the evomcp MCP server/tool.
Impact
A user-authorized MCP request can execute commands and alter the selected project; this is a dangerous agent capability rather than stealthy package malware.
Mechanism
MCP-driven Claude subprocess fanout plus shell-based project verification and Git patch/reset operations.
Rationale
The package is not malicious by static inspection: behavior is user-invoked and aligned with an MCP coding/evolution tool. Its explicit command and Git mutation capabilities merit a warning for dangerous agent capability.
Evidence
package.jsondist/bundle.js.mcp.json.claude-plugin/plugin.json~/deepclaude/proxy/start-proxy.jstemporary system-prompt filestemporary Git patch filescaller-selected Git workspace
Network endpoints2
127.0.0.1:3200api.deepseek.com/anthropic

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/bundle.js` launches `claude -p` with caller-provided prompts and project cwd.
  • `dist/bundle.js` runs caller-supplied verification commands with `execSync`.
  • `dist/bundle.js` can stash, clean, checkout, and apply patches in the requested Git workspace.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • `.mcp.json` is a declarative first-party MCP launch config, not a config-writing installer.
  • `dist/bundle.js` starts only when invoked as its bin/MCP server; no import-time execution.
  • Network targets are the configured local proxy or DeepSeek Anthropic endpoint; no unrelated exfiltration host found.
  • `DEEPSEEK_API_KEY` is passed to the Claude subprocess as its authentication token, with no source evidence of credential harvesting or separate upload.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 740 KB of source, external domains: 127.0.0.1, api.deepseek.com, github.com, json-schema.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/bundle.jsView file
21100// src/agent.ts L21101: import { spawn, execSync } from "node:child_process"; L21102: import * as path from "node:path";
High
Child Process

Package source references child process execution.

dist/bundle.jsView on unpkg · L21100
21090const json = serializeMessage(message); L21091: if (this._stdout.write(json)) { L21092: resolve2(); ... L21100: // src/agent.ts L21101: import { spawn, execSync } from "node:child_process"; L21102: import * as path from "node:path"; ... L21104: import * as os from "node:os"; L21105: var PROXY_URL = "http://127.0.0.1:3200"; L21106: var DEEPSEEK_ANTHROPIC_ENDPOINT = "https://api.deepseek.com/anthropic";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bundle.jsView on unpkg · L21090
2941sourceCode = this.opts.code.process(sourceCode, sch); L2942: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2943: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/bundle.jsView on unpkg · L2941

Findings

3 High2 Medium6 Low
HighChild Processdist/bundle.js
HighShell
HighCommand Output Exfiltrationdist/bundle.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/bundle.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings