registry  /  igel-qe-core  /  1.0.5

igel-qe-core@1.0.5

IGEL QE Developer Experience Layer (CLI & MCP)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs igel-qe init --with-* or igel-qe platform setup, or starts igel-qe-mcp.
Impact
Agent-facing tools can access configured enterprise services and write generated test scripts when invoked; shipped credentials may expose secrets if valid.
Mechanism
user-invoked MCP registration plus fixed Python workflow spawning
Policy narrative
A user can explicitly register the package MCP server into IDE/agent settings. The MCP server then exposes fixed QE tools that spawn the packaged Python workflow engine, which may call configured enterprise endpoints and generate test scripts. This is broad agent capability, but inspection found no lifecycle delivery, persistence, arbitrary remote payload execution, or credential exfiltration behavior.
Rationale
Because the broad agent-control writes are explicit/user-invoked rather than lifecycle-triggered, this does not meet the block policy for AI-agent control hijack. The populated .env and powerful MCP integration leave real residual risk, so warn rather than mark clean.
Evidence
package.jsondist/cli/index.jsdist/cli/platform.jsdist/mcp/server.jsknowledge_base/config/.envknowledge_base/config/settings.pyknowledge_base/cli/workflow_cli.pyknowledge_base/agents/script_generator_agent.py~/.config/Code/User/mcp.json~/.config/Code/User/settings.json~/.vscode-server/data/User/mcp.json~/.vscode-server/data/User/settings.json.vscode/mcp.json.mcp.json~/.vscode-server/data/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.jsontests/test_<jira_key>.py
Network endpoints5
qe-genai.cognitiveservices.azure.com/127.0.0.1:3002kb.igel.comcommunity.igel.com192.168.204.65:5432

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/platform.js user-invoked setup writes MCP entries into VS Code/Copilot, Cline, and Antigravity config files.
  • knowledge_base/config/.env is shipped and contains real-looking configured DB/Azure credential fields, not only placeholders.
  • dist/mcp/server.js exposes MCP tools that spawn the packaged Python workflow engine with inherited environment.
  • knowledge_base/agents/script_generator_agent.py can write generated pytest files under tests/ when generate_automation is invoked.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Agent/MCP config mutation is gated behind explicit igel-qe init flags or platform setup command, not install-time execution.
  • MCP tools are package-aligned QE workflows and only map fixed tool names to fixed Python actions.
  • No code found harvesting broad local files, shell startup files, VCS hooks, persistence, or exfiltrating credentials to attacker-controlled endpoints.
  • Network endpoints are product/config aligned: Azure OpenAI, IGEL KB/community, local Firecrawl, and configured internal DB host.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 3 file(s), 18.6 KB of source

Source & flagged code

2 flagged · loading source
knowledge_base/config/.envView file
6patternName = blocked_file severity = critical matchedText = knowledge_base/config/.env redactedSecretContext = secretLikeLines = 12 L6: DB_PASSWORD=<redacted:5 value> L14: AZURE_API_KEY=<redacted:84 token-like> L20: AZURE_EMBEDDING_DEPLOYMENT=<redacted:22 token-like> L35: RERANKER_MODEL=<redacted:36 token-like> L48: CHUNK_PARENT_MAX_TOKENS=<redacted:4 value> L49: CHUNK_CHILD_MAX_TOKENS=<redacted:3 value> L50: CHUNK_OVERLAP_TOKENS=<redacted:2 value> L56: WEB_SEARCH_BACKENDS=<redacted:22 token-like> omittedSecretLikeLines = 4
Critical
Critical Secret

Package contains a critical-looking secret pattern.

knowledge_base/config/.envView on unpkg · L6
knowledge_base/connectors/playwright_fetcher.pyView file
path = knowledge_base/connectors/playwright_fetcher.py kind = build_helper sizeBytes = 1486 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

knowledge_base/connectors/playwright_fetcher.pyView on unpkg

Findings

1 Critical2 Medium3 Low
CriticalCritical Secretknowledge_base/config/.env
MediumEnvironment Vars
MediumShips Build Helperknowledge_base/connectors/playwright_fetcher.py
LowScripts Present
LowFilesystem
LowNo License