registry  /  hlido-mcp-guard  /  0.1.0

hlido-mcp-guard@0.1.0

Check an MCP server's independent Hlido trust verdict before it starts — a zero-dependency, no-API-key runtime guardrail for Claude Code, Cursor, Cline, and any stdio MCP client.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The user-invoked CLI fetches a trust register, optionally blocks the supplied MCP-server command, then directly spawns that user-supplied command.

Static reason
One or more suspicious static signals were detected.
Trigger
User configures or runs `hlido-mcp-guard -- <command>`.
Impact
The configured register endpoint can influence whether the explicit wrapped command is allowed; network failures fail open.
Mechanism
Fetch trust metadata, cache it in temp storage, and pass through an explicit command.
Rationale
Static signals arise from the intended runtime guard design: a public-register fetch and direct spawn of a command explicitly provided by the user. Source inspection found no install-time execution or concrete malicious behavior.
Evidence
package.jsonbin/hlido-mcp-guard.mjsREADME.md<os tmpdir>/hlido-mcp-register.json
Network endpoints1
hlido.eu/data/mcp-register.json

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no lifecycle scripts; code runs only through the declared CLI.
    • `bin/hlido-mcp-guard.mjs` fetches a public Hlido register and caches it only in the OS temp directory.
    • The environment variable only overrides the register URL; no environment harvesting occurs.
    • `spawn()` executes only the command explicitly supplied after `--`, with inherited stdio.
    • No eval, shell interpolation, credential collection, exfiltration, persistence, or AI-client config writes found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 7.08 KB of source, external domains: hlido.eu

    Source & flagged code

    3 flagged · loading source
    bin/hlido-mcp-guard.mjsView file
    33*/ L34: import { spawn } from "node:child_process"; L35: import fs from "node:fs";
    High
    Child Process

    Package source references child process execution.

    bin/hlido-mcp-guard.mjsView on unpkg · L33
    33*/ L34: import { spawn } from "node:child_process"; L35: import fs from "node:fs"; ... L38: L39: const REGISTER_URL = process.env.HLIDO_REGISTER_URL || "https://hlido.eu/data/mcp-register.json"; L40: const CACHE = path.join(os.tmpdir(), "hlido-mcp-register.json");
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    bin/hlido-mcp-guard.mjsView on unpkg · L33
    113evidence: entry.evidence_url L114: ? (/^https?:\/\//.test(entry.evidence_url) ? entry.evidence_url : `https://hlido.eu${entry.evidence_url}`) L115: : `https://hlido.eu/mcp/`, ... L120: function passthrough(cmd) { L121: const child = spawn(cmd[0], cmd.slice(1), { stdio: "inherit" }); L122: for (const sig of ["SIGINT", "SIGTERM", "SIGHUP"]) process.on(sig, () => child.kill(sig)); L123: child.on("exit", (code, signal) => process.exit(signal ? 1 : (code ?? 0))); L124: child.on("error", (e) => { process.stderr.write(`hlido-mcp-guard: failed to start server: ${e.message}\n`); process.exit(127); }); L125: }
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    bin/hlido-mcp-guard.mjsView on unpkg · L113

    Findings

    4 High2 Medium2 Low
    HighChild Processbin/hlido-mcp-guard.mjs
    HighShell
    HighSame File Env Network Executionbin/hlido-mcp-guard.mjs
    HighCommand Output Exfiltrationbin/hlido-mcp-guard.mjs
    MediumNetwork
    MediumEnvironment Vars
    LowFilesystem
    LowUrl Strings