registry  /  igel-qe-core  /  1.0.1

igel-qe-core@1.0.1

IGEL QE Developer Experience Layer (CLI & MCP)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package provides a user-invoked CLI/MCP bridge to Python QE workflows; the main residual risk is packaged live-looking configuration secrets and agent-facing automation capability.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs igel-qe sync, igel-qe-mcp, or calls an MCP tool
Impact
Can contact configured Jira/Azure/DB services and write generated test scripts when explicitly invoked; no unconsented install-time mutation found.
Mechanism
user-invoked MCP/CLI spawns package Python workflows
Rationale
Source inspection shows a package-aligned QE CLI/MCP server with explicit user-triggered Python workflows and no lifecycle hook, persistence, foreign AI-agent control-surface mutation, or exfiltration behavior. The packaged set .env values are a serious hygiene/credential exposure issue, but without malicious use against consumers they do not justify blocking as malware.
Evidence
package.jsondist/cli/index.jsdist/mcp/server.jsknowledge_base/cli/workflow_cli.pyknowledge_base/config/.envknowledge_base/config/settings.pyknowledge_base/connectors/jira_connector.pyknowledge_base/agents/script_generator_agent.pytests/test_<jira_key>.py
Network endpoints5
kb.igel.comcommunity.igel.com127.0.0.1:3002redis://localhost:6379/0bolt://localhost:7687

Decision evidence

public snapshot
AI called this Clean at 87.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • knowledge_base/config/.env is packaged and contains set credential fields, but no exfiltration path was found.
  • dist/mcp/server.js exposes MCP tools that spawn package Python workflows on user MCP calls.
  • knowledge_base/agents/script_generator_agent.py can write generated pytest files under cwd/tests during generate_test_cases.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • dist/cli/index.js only runs workflows after explicit igel-qe commands.
  • dist/mcp/server.js uses stdio MCP and does not register or mutate foreign agent config files.
  • No code writes .mcp.json, Claude/Codex/Cursor settings, shell startup files, VCS hooks, or autostart entries.
  • Network use is package-aligned: Jira, Azure OpenAI, IGEL/community KB, local Firecrawl, DB/Redis configuration.
  • No credential harvesting, home-directory traversal, destructive behavior, remote payload download, or import-time execution found.
Behavioral surface
Source
ChildProcessEnvironmentVarsShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 2 file(s), 7.51 KB of source

Source & flagged code

2 flagged · loading source
knowledge_base/config/.envView file
6patternName = blocked_file severity = critical matchedText = knowledge_base/config/.env redactedSecretContext = secretLikeLines = 12 L6: DB_PASSWORD=<redacted:5 value> L14: AZURE_API_KEY=<redacted:84 token-like> L20: AZURE_EMBEDDING_DEPLOYMENT=<redacted:22 token-like> L35: RERANKER_MODEL=<redacted:36 token-like> L48: CHUNK_PARENT_MAX_TOKENS=<redacted:4 value> L49: CHUNK_CHILD_MAX_TOKENS=<redacted:3 value> L50: CHUNK_OVERLAP_TOKENS=<redacted:2 value> L56: WEB_SEARCH_BACKENDS=<redacted:22 token-like> omittedSecretLikeLines = 4
Critical
Critical Secret

Package contains a critical-looking secret pattern.

knowledge_base/config/.envView on unpkg · L6
knowledge_base/connectors/playwright_fetcher.pyView file
path = knowledge_base/connectors/playwright_fetcher.py kind = build_helper sizeBytes = 1486 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

knowledge_base/connectors/playwright_fetcher.pyView on unpkg

Findings

1 Critical2 Medium2 Low
CriticalCritical Secretknowledge_base/config/.env
MediumEnvironment Vars
MediumShips Build Helperknowledge_base/connectors/playwright_fetcher.py
LowScripts Present
LowNo License