registry  /  machine-bridge-mcp  /  0.8.1

machine-bridge-mcp@0.8.1

Cross-client MCP bridge for canonical local automation, files, Git, SSH resources, managed jobs, and processes over stdio or an OAuth-protected remote relay.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs the CLI/MCP server and selects a policy that permits execution, writes, or full access.
Impact
A connected MCP client with a permissive policy can execute local commands, access permitted files, manage jobs, and create user-level autostart services.
Mechanism
Authenticated relay exposes policy-gated local automation capabilities.
Rationale
Source inspection contradicts the scanner’s malicious claim: there are no install hooks or covert foreign agent-control writes. However, the package deliberately exposes broad local automation and relay functionality, so it merits a warning-level dangerous-capability verdict.
Evidence
package.jsonbin/machine-mcp.mjssrc/local/cli.mjssrc/local/shell.mjssrc/local/service.mjssrc/local/relay-connection.mjssrc/local/full-access-test.mjssrc/local/resource-operations.mjssrc/local/ssh-key.mjssrc/worker/index.ts

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/local/cli.mjs` exposes user-invoked full-profile shell, filesystem, SSH, managed-job, and autostart commands.
  • `src/local/shell.mjs` runs child processes and can inherit the full parent environment when full mode is selected.
  • `src/local/service.mjs` installs per-user launchd, systemd-user, or Windows logon autostart entries on explicit service commands.
  • `src/local/relay-connection.mjs` maintains an authenticated HTTPS WebSocket relay using a daemon secret.
  • `src/local/full-access-test.mjs` writes SSH authorized_keys only inside a temporary test directory.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook; only prepublishOnly.
  • `bin/machine-mcp.mjs` only invokes the CLI after an explicit bin command.
  • `src/local/cli.mjs` client-config prints MCP configuration rather than modifying Claude, Cursor, or Codex files.
  • `src/local/full-access-test.mjs` creates and removes an isolated temporary sandbox.
  • No source evidence of credential harvesting, unconsented exfiltration, remote payload download, or foreign AI-agent config mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 363 KB of source, external domains: www.apple.com

Source & flagged code

4 flagged · loading source
src/local/full-access-test.mjsView file
21const keyPath = join(root, "ssh", "operator-ed25519"); L22: const authorizedKeysPath = join(root, "authorized_keys"); L23: const mainMarker = join(root, "managed-main.txt"); ... L26: const sentinelKey = `MBM_FULL_TEST_${Date.now()}`; L27: const previousSentinel = process.env[sentinelKey]; L28: process.env[sentinelKey] = "visible"; ... L56: const direct = await runtime.runDirectProcess({ L57: argv: [process.execPath, "-e", "process.stdout.write(process.cwd())"], L58: cwd: outsideDir, ... L68: L69: const shellCommand = process.platform === "win32" ? "[Console]::Out.Write('full-shell')" : "printf full-shell"; L70: const shell = await runtime.execCommand(shellCommand, 10);
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

src/local/full-access-test.mjsView on unpkg · L21
21Trigger-reachable chain: manifest.bin -> bin/machine-mcp.mjs -> src/local/cli.mjs -> src/local/full-access-test.mjs L21: const keyPath = join(root, "ssh", "operator-ed25519"); L22: const authorizedKeysPath = join(root, "authorized_keys"); L23: const mainMarker = join(root, "managed-main.txt"); ... L26: const sentinelKey = `MBM_FULL_TEST_${Date.now()}`; L27: const previousSentinel = process.env[sentinelKey]; L28: process.env[sentinelKey] = "visible"; ... L56: const direct = await runtime.runDirectProcess({ L57: argv: [process.execPath, "-e", "process.stdout.write(process.cwd())"], L58: cwd: outsideDir, ... L68: L69: const shellCommand = process.platform === "win32" ? "[Console]::Out.Write('full-shell')" : "printf full-shell"; L70: const shell = await runtime.execCommand(shellCommand, 10);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/local/full-access-test.mjsView on unpkg · L21
mbm.cmdView file
path = mbm.cmd kind = build_helper sizeBytes = 183 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mbm.cmdView on unpkg
src/local/runtime.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = machine-bridge-mcp@0.8.0 matchedIdentity = npm:bWFjaGluZS1icmlkZ2UtbWNw:0.8.0 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/local/runtime.mjsView on unpkg

Findings

3 Critical4 Medium5 Low
CriticalPersistence Backdoorsrc/local/full-access-test.mjs
CriticalTrigger Reachable Dangerous Capabilitysrc/local/full-access-test.mjs
CriticalPrevious Version Dangerous Deltasrc/local/runtime.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermbm.cmd
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings