AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malware or unconsented lifecycle mutation was found. The package exposes powerful user-invoked MCP tools/prompts for databases, git, PR review, ticket creation, and engineering orchestration, which can modify repositories or send local files to configured services when an agent calls them.
Static reason
One or more suspicious static signals were detected.
Trigger
User configures/runs the lumina-mcp MCP server and invokes its tools/prompts through an MCP client.
Impact
Could commit/push code, create/review PRs, query databases, write audit docs, or upload specified local attachments if delegated to the agent.
Mechanism
User-invoked MCP agent capability surface with git, database, ticketing, and remote API actions.
Attack narrative
The package does not execute at install time or plant agent configuration. When run as an MCP server, it intentionally gives an AI client broad developer-workflow powers: database reads/audits, GitHub/Gitea PR actions, git commit/push, issue creation, local report writes, and optional attachment uploads. These are dangerous if delegated carelessly but are package-aligned and user-invoked rather than stealthy malware.
Rationale
Static inspection found a legitimate MCP automation toolkit with powerful agent-facing capabilities but no install hook abuse, credential harvesting loop, hidden exfiltration, persistence, or unconsented writes to foreign AI-agent control surfaces. Because the exposed tools/prompts can modify repos and upload specified files when invoked, warn rather than mark clean.
Evidence
package.jsondist/index.jsREADME.mddist/skills/fallback-brainstorm.mddist/skills/fallback-work.mddist/skills/fallback-review.mddist/skills/fallback-compound.mddocs/database/auditor-query-*.mdattachmentPath arguments~/.claude.jsonClaude/Cursor/Cline/Roo config paths
Network endpoints5
api.github.com*.atlassian.net/rest/api/3api.trello.com/1<openproject-domain>/api/v3GITEA_BASE_URL
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/index.js registers agent tools that can git add/commit/push selected files via child_process execFile.
- dist/index.js prompt content instructs agents to create files, run tests/install commands, and fall back to git/gh/tea CLI workflows.
- dist/index.js reads home/project AI-tool config paths to detect compound-engineering/ce-work presence.
- dist/index.js can read arbitrary attachmentPath files for Jira/OpenProject uploads when create-ticket tools are invoked.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; only bin/main point to dist/index.js.
- Runtime is an MCP stdio server; sensitive actions are exposed as named tools/prompts, not import-time or install-time execution.
- Database tools enforce read-only SQL and filter common sensitive columns from returned rows.
- Network endpoints are package-aligned: GitHub, Gitea, Atlassian/Jira, Trello, OpenProject, MySQL/PostgreSQL configured by user env.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
286}
L287: `,variables:{threadId:l.id}})})}},x=new me;import{exec as mr,execFile as gr}from"child_process";import{promisify as Ue}from"util";var De=Ue(mr),ge=Ue(gr);async function $e(n,e,t,r)...
L288: ${a}`.trim(),stderr:`${s}
...
L294:
L295: `),t||"No local changes detected."}catch{return"Failed to read local git changes."}}async function je(n,e,t,r,o){return await x.createPullRequest(n,e,t,r,o)}async function Fe(n,e,t...
L296: - **GitHub / Git Tool Execution & Fallback Rules**:
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L286Findings
1 High2 Medium4 Low
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings