AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs igel-qe init --with-* or igel-qe platform setup, or starts igel-qe-mcp.
Impact
Agent-facing tools can access configured enterprise services and write generated test scripts when invoked; shipped credentials may expose secrets if valid.
Mechanism
user-invoked MCP registration plus fixed Python workflow spawning
Policy narrative
A user can explicitly register the package MCP server into IDE/agent settings. The MCP server then exposes fixed QE tools that spawn the packaged Python workflow engine, which may call configured enterprise endpoints and generate test scripts. This is broad agent capability, but inspection found no lifecycle delivery, persistence, arbitrary remote payload execution, or credential exfiltration behavior.
Rationale
Because the broad agent-control writes are explicit/user-invoked rather than lifecycle-triggered, this does not meet the block policy for AI-agent control hijack. The populated .env and powerful MCP integration leave real residual risk, so warn rather than mark clean.
Evidence
package.jsondist/cli/index.jsdist/cli/platform.jsdist/mcp/server.jsknowledge_base/config/.envknowledge_base/config/settings.pyknowledge_base/cli/workflow_cli.pyknowledge_base/agents/script_generator_agent.py~/.config/Code/User/mcp.json~/.config/Code/User/settings.json~/.vscode-server/data/User/mcp.json~/.vscode-server/data/User/settings.json.vscode/mcp.json.mcp.json~/.vscode-server/data/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.jsontests/test_<jira_key>.py
Network endpoints5
qe-genai.cognitiveservices.azure.com/127.0.0.1:3002kb.igel.comcommunity.igel.com192.168.204.65:5432
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/cli/platform.js user-invoked setup writes MCP entries into VS Code/Copilot, Cline, and Antigravity config files.
- knowledge_base/config/.env is shipped and contains real-looking configured DB/Azure credential fields, not only placeholders.
- dist/mcp/server.js exposes MCP tools that spawn the packaged Python workflow engine with inherited environment.
- knowledge_base/agents/script_generator_agent.py can write generated pytest files under tests/ when generate_automation is invoked.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- Agent/MCP config mutation is gated behind explicit igel-qe init flags or platform setup command, not install-time execution.
- MCP tools are package-aligned QE workflows and only map fixed tool names to fixed Python actions.
- No code found harvesting broad local files, shell startup files, VCS hooks, persistence, or exfiltrating credentials to attacker-controlled endpoints.
- Network endpoints are product/config aligned: Azure OpenAI, IGEL KB/community, local Firecrawl, and configured internal DB host.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
NoLicense
Source & flagged code
2 flagged · loading sourceknowledge_base/config/.envView file
6patternName = blocked_file
severity = critical
matchedText = knowledge_base/config/.env
redactedSecretContext =
secretLikeLines = 12
L6: DB_PASSWORD=<redacted:5 value>
L14: AZURE_API_KEY=<redacted:84 token-like>
L20: AZURE_EMBEDDING_DEPLOYMENT=<redacted:22 token-like>
L35: RERANKER_MODEL=<redacted:36 token-like>
L48: CHUNK_PARENT_MAX_TOKENS=<redacted:4 value>
L49: CHUNK_CHILD_MAX_TOKENS=<redacted:3 value>
L50: CHUNK_OVERLAP_TOKENS=<redacted:2 value>
L56: WEB_SEARCH_BACKENDS=<redacted:22 token-like>
omittedSecretLikeLines = 4
Critical
Critical Secret
Package contains a critical-looking secret pattern.
knowledge_base/config/.envView on unpkg · L6knowledge_base/connectors/playwright_fetcher.pyView file
•path = knowledge_base/connectors/playwright_fetcher.py
kind = build_helper
sizeBytes = 1486
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
knowledge_base/connectors/playwright_fetcher.pyView on unpkgFindings
1 Critical2 Medium3 Low
CriticalCritical Secretknowledge_base/config/.env
MediumEnvironment Vars
MediumShips Build Helperknowledge_base/connectors/playwright_fetcher.py
LowScripts Present
LowFilesystem
LowNo License