AI Security Review
scanned 2d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package intentionally creates a Remote MCP bridge to a local daemon with filesystem read/write and shell execution enabled by default. This is a powerful user-invoked agent capability, but inspection did not find npm install-time execution, stealth persistence, credential harvesting, or hardcoded exfiltration.
Static reason
No blocking static signals were detected.
Trigger
User runs machine-mcp start or service install after installing the package.
Impact
Authorized remote MCP clients can read/write files and execute commands on the selected machine according to daemon policy; default policy is broad.
Mechanism
Authenticated MCP-to-local-daemon relay with optional login autostart
Rationale
The package is not malicious by LPM block criteria because dangerous behavior is explicit, package-aligned, authenticated, and user-invoked rather than npm install-time or stealthy. It should be warned due to broad default local read/write/exec capabilities and first-party autostart setup.
Evidence
package.jsonbin/machine-mcp.mjssrc/local/cli.mjssrc/local/daemon.mjssrc/local/service.mjssrc/local/api-server.mjssrc/worker/index.tsREADME.md~/.local/state/machine-bridge-mcp~/Library/LaunchAgents/dev.machine-bridge-mcp.daemon.plist~/.config/systemd/user/machine-bridge-mcp.service%APPDATA%/machine-bridge-mcpWindows Scheduled Task MachineBridgeMCP
Network endpoints3
api.openai.com/v1<worker>.<account>.workers.dev/mcpwss://<worker>.<account>.workers.dev/daemon/ws
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- src/local/daemon.mjs exposes read_file, write_file, search_text, and exec_command over a Worker WebSocket relay.
- src/local/daemon.mjs resolvePath allows absolute paths and parent-directory traversal outside the workspace.
- src/local/cli.mjs start installs autostart by default unless --no-autostart is passed.
- src/local/service.mjs writes LaunchAgent, systemd user service, or Windows Scheduled Task entries.
- src/worker/index.ts advertises write_file and exec_command as enabled by default through MCP.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hook; only prepack/prepublishOnly developer checks.
- bin/machine-mcp.mjs only imports CLI main and does not run on install or import by dependency consumers.
- README.md clearly documents Remote MCP bridge behavior, default write/exec permissions, autostart, state paths, and uninstall commands.
- Worker daemon WebSocket requires DAEMON_SHARED_SECRET and MCP clients require OAuth password flow.
- No hardcoded exfiltration endpoint beyond user-deployed workers.dev relay and optional OpenAI-compatible upstream.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/local/service.mjsView file
11const spec = serviceSpec({ workspace, stateRoot, entryScript, policy });
L12: if (process.platform === "darwin") return installLaunchd(spec, logger);
L13: if (process.platform === "win32") return installWindowsTask(spec, logger);
...
L30: if (process.platform === "darwin") return startLaunchd(logger);
L31: if (process.platform === "win32") return run("schtasks", ["/Run", "/TN", WINDOWS_TASK], { capture: true, allowFailure: true });
L32: return run("systemctl", ["--user", "start", "machine-bridge-mcp.service"], { capture: true, allowFailure: true });
...
L50: node: process.execPath,
L51: stdout: path.join(logs, "daemon.out.log"),
L52: stderr: path.join(logs, "daemon.err.log"),
...
L77: function launchdPlistPath() {
L78: return path.join(os.homedir(), "Library", "LaunchAgents", `${LABEL}.plist`);
L79: }
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
src/local/service.mjsView on unpkg · L11mbm.cmdView file
•path = mbm.cmd
kind = build_helper
sizeBytes = 183
magicHex = [redacted]
Medium
Findings
5 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/local/service.mjs
MediumShips Build Helpermbm.cmd
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings