registry  /  machine-bridge-mcp  /  0.6.2

machine-bridge-mcp@0.6.2

Cross-client MCP bridge for canonical local automation, files, Git, SSH resources, managed jobs, and processes over stdio or an OAuth-protected remote relay.

AI Security Review

scanned 19h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `machine-mcp start` or installs/starts its service, then an authorized remote MCP client invokes tools.
Impact
Under the default full profile, an authorized remote client can run shell commands and access paths available to the local user; the package can persist its own daemon as a user service.
Mechanism
OAuth-protected Worker relay dispatches authenticated tool calls to a local daemon with configurable filesystem and process privileges.
Rationale
Source establishes a real, high-impact remote automation and persistence capability, so it warrants a warning. It is user-invoked and package-aligned rather than concrete malicious behavior.
Evidence
package.jsonbin/machine-mcp.mjssrc/local/cli.mjssrc/local/daemon.mjssrc/local/service.mjssrc/local/tools.mjssrc/local/full-access-test.mjssrc/worker/index.ts

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/local/cli.mjs` explicit `start` deploys a Worker and installs autostart.
  • `src/local/daemon.mjs` accepts authenticated relay tool calls and exposes file/process operations.
  • `src/local/tools.mjs` default `full` policy enables shell execution, unrestricted paths, and full environment.
  • `src/local/service.mjs` creates user-level launchd, systemd, or scheduled-task persistence.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; only publish-time checks.
  • `src/local/full-access-test.mjs` uses a temporary directory and removes it in `finally`.
  • `src/local/cli.mjs` client-config command prints configuration rather than modifying agent configs.
  • No hidden downloader, eval/vm execution, credential exfiltration, or fixed third-party endpoint was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 311 KB of source, external domains: www.apple.com

Source & flagged code

3 flagged · loading source
src/local/full-access-test.mjsView file
21const keyPath = join(root, "ssh", "operator-ed25519"); L22: const authorizedKeysPath = join(root, "authorized_keys"); L23: const mainMarker = join(root, "managed-main.txt"); ... L26: const sentinelKey = `MBM_FULL_TEST_${Date.now()}`; L27: const previousSentinel = process.env[sentinelKey]; L28: process.env[sentinelKey] = "visible"; ... L56: const direct = await runtime.runDirectProcess({ L57: argv: [process.execPath, "-e", "process.stdout.write(process.cwd())"], L58: cwd: outsideDir, ... L68: L69: const shellCommand = process.platform === "win32" ? "[Console]::Out.Write('full-shell')" : "printf full-shell"; L70: const shell = await runtime.execCommand(shellCommand, 10);
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

src/local/full-access-test.mjsView on unpkg · L21
21Trigger-reachable chain: manifest.bin -> bin/machine-mcp.mjs -> src/local/cli.mjs -> src/local/full-access-test.mjs L21: const keyPath = join(root, "ssh", "operator-ed25519"); L22: const authorizedKeysPath = join(root, "authorized_keys"); L23: const mainMarker = join(root, "managed-main.txt"); ... L26: const sentinelKey = `MBM_FULL_TEST_${Date.now()}`; L27: const previousSentinel = process.env[sentinelKey]; L28: process.env[sentinelKey] = "visible"; ... L56: const direct = await runtime.runDirectProcess({ L57: argv: [process.execPath, "-e", "process.stdout.write(process.cwd())"], L58: cwd: outsideDir, ... L68: L69: const shellCommand = process.platform === "win32" ? "[Console]::Out.Write('full-shell')" : "printf full-shell"; L70: const shell = await runtime.execCommand(shellCommand, 10);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/local/full-access-test.mjsView on unpkg · L21
mbm.cmdView file
path = mbm.cmd kind = build_helper sizeBytes = 183 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mbm.cmdView on unpkg

Findings

2 Critical4 Medium5 Low
CriticalPersistence Backdoorsrc/local/full-access-test.mjs
CriticalTrigger Reachable Dangerous Capabilitysrc/local/full-access-test.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermbm.cmd
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings