AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package provides a user-invoked CLI/MCP bridge to Python QE workflows; the main residual risk is packaged live-looking configuration secrets and agent-facing automation capability.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs igel-qe sync, igel-qe-mcp, or calls an MCP tool
Impact
Can contact configured Jira/Azure/DB services and write generated test scripts when explicitly invoked; no unconsented install-time mutation found.
Mechanism
user-invoked MCP/CLI spawns package Python workflows
Rationale
Source inspection shows a package-aligned QE CLI/MCP server with explicit user-triggered Python workflows and no lifecycle hook, persistence, foreign AI-agent control-surface mutation, or exfiltration behavior. The packaged set .env values are a serious hygiene/credential exposure issue, but without malicious use against consumers they do not justify blocking as malware.
Evidence
package.jsondist/cli/index.jsdist/mcp/server.jsknowledge_base/cli/workflow_cli.pyknowledge_base/config/.envknowledge_base/config/settings.pyknowledge_base/connectors/jira_connector.pyknowledge_base/agents/script_generator_agent.pytests/test_<jira_key>.py
Network endpoints5
kb.igel.comcommunity.igel.com127.0.0.1:3002redis://localhost:6379/0bolt://localhost:7687
Decision evidence
public snapshotAI called this Clean at 87.0% confidence as Benign with medium false-positive risk.
Evidence for block
- knowledge_base/config/.env is packaged and contains set credential fields, but no exfiltration path was found.
- dist/mcp/server.js exposes MCP tools that spawn package Python workflows on user MCP calls.
- knowledge_base/agents/script_generator_agent.py can write generated pytest files under cwd/tests during generate_test_cases.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- dist/cli/index.js only runs workflows after explicit igel-qe commands.
- dist/mcp/server.js uses stdio MCP and does not register or mutate foreign agent config files.
- No code writes .mcp.json, Claude/Codex/Cursor settings, shell startup files, VCS hooks, or autostart entries.
- Network use is package-aligned: Jira, Azure OpenAI, IGEL/community KB, local Firecrawl, DB/Redis configuration.
- No credential harvesting, home-directory traversal, destructive behavior, remote payload download, or import-time execution found.
Behavioral surface
ChildProcessEnvironmentVarsShell
NoLicense
Source & flagged code
2 flagged · loading sourceknowledge_base/config/.envView file
6patternName = blocked_file
severity = critical
matchedText = knowledge_base/config/.env
redactedSecretContext =
secretLikeLines = 12
L6: DB_PASSWORD=<redacted:5 value>
L14: AZURE_API_KEY=<redacted:84 token-like>
L20: AZURE_EMBEDDING_DEPLOYMENT=<redacted:22 token-like>
L35: RERANKER_MODEL=<redacted:36 token-like>
L48: CHUNK_PARENT_MAX_TOKENS=<redacted:4 value>
L49: CHUNK_CHILD_MAX_TOKENS=<redacted:3 value>
L50: CHUNK_OVERLAP_TOKENS=<redacted:2 value>
L56: WEB_SEARCH_BACKENDS=<redacted:22 token-like>
omittedSecretLikeLines = 4
Critical
Critical Secret
Package contains a critical-looking secret pattern.
knowledge_base/config/.envView on unpkg · L6knowledge_base/connectors/playwright_fetcher.pyView file
•path = knowledge_base/connectors/playwright_fetcher.py
kind = build_helper
sizeBytes = 1486
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
knowledge_base/connectors/playwright_fetcher.pyView on unpkgFindings
1 Critical2 Medium2 Low
CriticalCritical Secretknowledge_base/config/.env
MediumEnvironment Vars
MediumShips Build Helperknowledge_base/connectors/playwright_fetcher.py
LowScripts Present
LowNo License