registry  /  igel-qe-core  /  1.0.0

igel-qe-core@1.0.0

IGEL QE Developer Experience Layer (CLI & MCP)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No malware execution path was confirmed, but the package leaks sensitive-looking configuration in a shipped .env file. Runtime MCP/CLI behavior is explicit and package-aligned.

Static reason
One or more suspicious static signals were detected.
Trigger
Installing or downloading the package exposes packaged files; CLI/MCP tools require explicit user execution
Impact
Potential disclosure of database and Azure service credentials; no confirmed exfiltration, persistence, or remote code execution.
Mechanism
packaged credential/config exposure without lifecycle execution
Attack narrative
The package does not execute code during install and its JS bin entrypoints are user-invoked. The main concrete risk is that knowledge_base/config/.env is included in the package with live-looking service and database credentials, which exposes secrets to anyone receiving the tarball. I found no code path that harvests local secrets, phones home, mutates agent config, or persists itself.
Rationale
Static source inspection does not support a malicious verdict because there is no lifecycle execution, exfiltration path, persistence, or agent control hijack. The shipped populated .env is a real security issue, so warn rather than mark clean.
Evidence
knowledge_base/config/.envknowledge_base/config/.env.examplepackage.jsondist/cli/index.jsdist/mcp/server.jsknowledge_base/connectors/playwright_fetcher.py
Network endpoints4
qe-genai.cognitiveservices.azure.com/127.0.0.1:3002kb.igel.comcommunity.igel.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • knowledge_base/config/.env ships populated DB and Azure OpenAI credentials, not just placeholders
  • knowledge_base/config/.env contains internal DB host and Azure endpoint configuration
  • knowledge_base/deploy scripts can install services or fetch dependencies, but are not lifecycle-triggered
Evidence against
  • package.json has no preinstall/install/postinstall hooks
  • dist/cli/index.js only prints simulated init/sync status
  • dist/mcp/server.js exposes stdio MCP tools but returns simulated dispatch JSON
  • No package import-time network call, child_process use, eval/vm/Function, or dynamic require/import found in JS entrypoints
  • No unconsented writes to Claude/Codex/Cursor/MCP control surfaces found
  • Network-capable Python code is package-aligned KB/retrieval functionality and user-invoked
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 2 file(s), 5.48 KB of source

Source & flagged code

2 flagged · loading source
knowledge_base/config/.envView file
6patternName = blocked_file severity = critical matchedText = knowledge_base/config/.env redactedSecretContext = secretLikeLines = 12 L6: DB_PASSWORD=<redacted:5 value> L14: AZURE_API_KEY=<redacted:84 token-like> L20: AZURE_EMBEDDING_DEPLOYMENT=<redacted:22 token-like> L35: RERANKER_MODEL=<redacted:36 token-like> L48: CHUNK_PARENT_MAX_TOKENS=<redacted:4 value> L49: CHUNK_CHILD_MAX_TOKENS=<redacted:3 value> L50: CHUNK_OVERLAP_TOKENS=<redacted:2 value> L56: WEB_SEARCH_BACKENDS=<redacted:22 token-like> omittedSecretLikeLines = 4
Critical
Critical Secret

Package contains a critical-looking secret pattern.

knowledge_base/config/.envView on unpkg · L6
knowledge_base/connectors/playwright_fetcher.pyView file
path = knowledge_base/connectors/playwright_fetcher.py kind = build_helper sizeBytes = 1486 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

knowledge_base/connectors/playwright_fetcher.pyView on unpkg

Findings

1 Critical1 Medium2 Low
CriticalCritical Secretknowledge_base/config/.env
MediumShips Build Helperknowledge_base/connectors/playwright_fetcher.py
LowScripts Present
LowNo License