registry  /  get-an-expert-agent  /  0.1.2

get-an-expert-agent@0.1.2

Get An Expert agent — on-demand expert assistance where the expert works directly on your machine through scoped, consent-based access. Runs as an MCP server inside Claude Code, Codex, Cursor, or Windsurf.

AI Security Review

scanned 7h ago · by lpm-firewall-ai

An explicitly approved remote expert can read/write scoped files, run a shell, and access one localhost browser port. The intended project-file boundary can be bypassed through existing symlinks because paths are not realpath-checked.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes `request_expert_help`, approves scopes, and an expert joins the relay session.
Impact
Approved expert access enables arbitrary commands; symlink traversal can extend file access outside the selected project.
Mechanism
Consent-gated peer-to-peer remote administration with shell and filesystem tools.
Rationale
Source inspection confirms a consent-gated remote-control capability and a symlink containment flaw, but not concrete malicious behavior. The scanner's remote decode/execute claim is unsupported by the source.
Evidence
package.jsonREADME.mddist/index.js
Network endpoints2
wss://get-an-expert-relay-production.up.railway.app/agentstun:stun.l.google.com:19302

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/index.js` exposes remote shell, PTY, file read/write, and browser tools.
  • `run_command` uses `spawn(..., { shell: true })` after terminal consent.
  • File containment is lexical; pre-existing project symlinks can escape `projectDir`.
  • Relay registration sends project directory and issue text to Railway WebSocket.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Session access requires explicit MCP elicitation and scope approval.
  • Scopes are revocable; terminal PTYs are killed on revocation.
  • No decoded remote payload execution, eval, or downloader is present; base64 is a browser screenshot.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 44.3 KB of source

Source & flagged code

4 flagged · loading source
dist/index.jsView file
194// src/relay-client.ts L195: import WebSocket from "ws"; L196: var RelayClient = class { ... L211: register(input) { L212: return new Promise((resolve4, reject) => { L213: const ws = new WebSocket(`${this.#url}/agent`); ... L217: ws.on("open", () => { L218: ws.send( L219: JSON.stringify({ ... L229: try { L230: msg = JSON.parse(raw.toString()); L231: } catch {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/index.jsView on unpkg · L194
Trigger-reachable chain: manifest.bin -> dist/index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg
320// src/tools.ts L321: import { spawn } from "child_process"; L322: import { mkdir, readFile, readdir, stat, writeFile } from "fs/promises";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L320
403cwd: this.#gate.projectDir, L404: shell: true, L405: windowsHide: true
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L403

Findings

2 Critical2 High3 Medium2 Low
CriticalRemote Asset Decode Executedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem