AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malware execution path was found, but the package contains exposed real-looking credentials and user-invoked AI/MCP configuration writes. The risky behavior is explicit CLI/MCP functionality rather than install-time execution.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs igel-qe init --with-* or igel-qe-mcp tool calls
Impact
Possible credential exposure and AI-agent tool registration if a user opts into setup
Mechanism
user-invoked MCP/Python workflow with bundled secrets
Attack narrative
The package is an IGEL QE CLI/MCP bundle. When invoked, it can register an MCP server into local coding-agent configs and run Python workflows that call Jira/Azure/DB services and write generated tests. I did not find install-time execution or covert exfiltration, but shipping live-looking credentials in knowledge_base/config/.env creates a real unresolved security risk.
Rationale
Static source inspection does not support a malicious verdict because the dangerous primitives are package-aligned and user-invoked, with no lifecycle hook or covert exfiltration. The bundled populated .env and AI-agent config mutation justify warning rather than marking clean.
Evidence
package.jsondist/cli/index.jsdist/cli/platform.jsdist/mcp/server.jsknowledge_base/config/.envknowledge_base/config/settings.pyknowledge_base/cli/workflow_cli.pyknowledge_base/agents/script_generator_agent.py~/.config/Code/User/settings.json~/.config/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.jsontests/test_<jira_key>.py
Network endpoints4
qe-genai.cognitiveservices.azure.com/kb.igel.comcommunity.igel.com127.0.0.1:3002
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- knowledge_base/config/.env ships populated DB and Azure OpenAI credentials, not placeholders.
- dist/cli/platform.js writes MCP server entries into VS Code/Copilot, Cline, and Gemini/Antigravity config files when setup flags are used.
- dist/mcp/server.js exposes MCP tools that spawn python with inherited environment.
- knowledge_base/agents/script_generator_agent.py writes generated pytest code under cwd/tests after LLM generation.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- dist/cli/index.js only runs sync/platform actions after explicit CLI commands.
- dist/mcp/server.js uses stdio transport; no listener or hardcoded exfiltration endpoint found.
- Network use is package-aligned: Jira/Confluence/Azure/OpenAI-style RAG, IGEL KB/community, Firecrawl/local services.
- No credential harvesting loop, persistence hook, destructive filesystem walk, or obfuscated loader found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
NoLicense
Source & flagged code
3 flagged · loading sourceknowledge_base/config/.envView file
6patternName = blocked_file
severity = critical
matchedText = knowledge_base/config/.env
redactedSecretContext =
secretLikeLines = 12
L6: DB_PASSWORD=<redacted:5 value>
L14: AZURE_API_KEY=<redacted:84 token-like>
L20: AZURE_EMBEDDING_DEPLOYMENT=<redacted:22 token-like>
L35: RERANKER_MODEL=<redacted:36 token-like>
L48: CHUNK_PARENT_MAX_TOKENS=<redacted:4 value>
L49: CHUNK_CHILD_MAX_TOKENS=<redacted:3 value>
L50: CHUNK_OVERLAP_TOKENS=<redacted:2 value>
L56: WEB_SEARCH_BACKENDS=<redacted:22 token-like>
omittedSecretLikeLines = 4
Critical
Critical Secret
Package contains a critical-looking secret pattern.
knowledge_base/config/.envView on unpkg · L6knowledge_base/connectors/playwright_fetcher.pyView file
•path = knowledge_base/connectors/playwright_fetcher.py
kind = build_helper
sizeBytes = 1486
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
knowledge_base/connectors/playwright_fetcher.pyView on unpkgdist/cli/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = igel-qe-core@1.0.1
matchedIdentity = npm:aWdlbC1xZS1jb3Jl:1.0.1
similarity = 0.500
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/cli/index.jsView on unpkgFindings
2 Critical2 Medium3 Low
CriticalCritical Secretknowledge_base/config/.env
CriticalPrevious Version Dangerous Deltadist/cli/index.js
MediumEnvironment Vars
MediumShips Build Helperknowledge_base/connectors/playwright_fetcher.py
LowScripts Present
LowFilesystem
LowNo License