registry  /  get-an-expert-agent  /  0.1.3

get-an-expert-agent@0.1.3

Get An Expert agent — on-demand expert assistance where the expert works directly on your machine through scoped, consent-based access. Runs as an MCP server inside Claude Code, Codex, Cursor, or Windsurf.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

This is an explicit MCP remote-assistance agent with high-impact capabilities. A connected expert can read/write approved project files and run arbitrary shell commands after the user grants scopes.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes the MCP `request_expert_help` tool and approves one or more scopes.
Impact
A malicious or compromised expert can modify project files, access command-visible credentials, and execute commands in the approved project context.
Mechanism
Consent-gated WebRTC remote control with MCP tools and PTY shell access.
Rationale
No concrete stealth, payload staging, install-time mutation, or unconsented execution was found. The package nevertheless creates a real remote command-and-file-control capability, so it warrants a warning rather than a block.
Evidence
package.jsondist/index.jsREADME.md
Network endpoints2
wss://get-an-expert-relay-production.up.railway.appstun:stun.l.google.com:19302

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/index.js` connects to a default third-party relay and accepts an expert WebRTC channel.
  • `dist/index.js` exposes file read/write and shell command execution to the connected expert.
  • PTY support launches the user shell with inherited environment after Terminal access is granted.
  • Relay registration sends customer name, project directory, and issue metadata.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `request_expert_help` requires MCP elicitation approval; missing elicitation fails closed.
  • `PermissionGate` confines file paths to the chosen project directory and gates terminal/browser access.
  • `revoke_access` kills PTYs and `end_session` revokes scopes and tears down the peer.
  • No `eval`, `Function`, decoded-payload execution, or remote code-loading primitive was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 44.1 KB of source

Source & flagged code

4 flagged · loading source
dist/index.jsView file
194// src/relay-client.ts L195: import WebSocket from "ws"; L196: var RelayClient = class { ... L211: register(input) { L212: return new Promise((resolve4, reject) => { L213: const ws = new WebSocket(`${this.#url}/agent`); ... L217: ws.on("open", () => { L218: ws.send( L219: JSON.stringify({ ... L229: try { L230: msg = JSON.parse(raw.toString()); L231: } catch {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/index.jsView on unpkg · L194
Trigger-reachable chain: manifest.bin -> dist/index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg
320// src/tools.ts L321: import { spawn } from "child_process"; L322: import { mkdir, readFile, readdir, stat, writeFile } from "fs/promises";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L320
403cwd: this.#gate.projectDir, L404: shell: true, L405: windowsHide: true
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L403

Findings

2 Critical2 High3 Medium2 Low
CriticalRemote Asset Decode Executedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem