registry  /  machine-bridge-mcp  /  0.7.1

machine-bridge-mcp@0.7.1

Cross-client MCP bridge for canonical local automation, files, Git, SSH resources, managed jobs, and processes over stdio or an OAuth-protected remote relay.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `machine-bridge-mcp start` or otherwise starts the daemon; an authenticated relay then sends MCP tool calls.
Impact
A compromised or misconfigured relay credential can direct broad actions as the local user when full policy is enabled.
Mechanism
Authenticated remote local-automation bridge with optional full filesystem and shell authority
Rationale
Source inspection does not support a malicious block verdict, but it does confirm a deliberately broad remote automation capability with optional persistence. Flag as warn so consumers can assess the trust boundary and full-policy exposure.
Evidence
package.jsonsrc/local/cli.mjssrc/local/daemon.mjssrc/local/service.mjssrc/local/full-access-test.mjssrc/local/tools.mjssrc/worker/index.tsbin/machine-mcp.mjssrc/local/shell.mjs

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/local/daemon.mjs` opens an authenticated WebSocket relay and executes received `tool_call` requests.
  • `src/local/daemon.mjs` supports filesystem mutation, process spawning, and shell execution under the full policy.
  • `src/local/service.mjs` implements persistent user autostart, invoked from explicit `start`/service commands.
  • `src/local/full-access-test.mjs` generates SSH material and runs commands, demonstrating high host-control capability.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
  • `src/local/full-access-test.mjs` uses a `mkdtemp` sandbox and recursively removes it in `finally`.
  • No inspected source harvests credentials, exfiltrates files, downloads payloads, or silently edits AI-client configuration.
  • Autostart is an explicit CLI-start feature, not an install-time persistence action.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 341 KB of source, external domains: www.apple.com

Source & flagged code

4 flagged · loading source
src/local/full-access-test.mjsView file
21const keyPath = join(root, "ssh", "operator-ed25519"); L22: const authorizedKeysPath = join(root, "authorized_keys"); L23: const mainMarker = join(root, "managed-main.txt"); ... L26: const sentinelKey = `MBM_FULL_TEST_${Date.now()}`; L27: const previousSentinel = process.env[sentinelKey]; L28: process.env[sentinelKey] = "visible"; ... L56: const direct = await runtime.runDirectProcess({ L57: argv: [process.execPath, "-e", "process.stdout.write(process.cwd())"], L58: cwd: outsideDir, ... L68: L69: const shellCommand = process.platform === "win32" ? "[Console]::Out.Write('full-shell')" : "printf full-shell"; L70: const shell = await runtime.execCommand(shellCommand, 10);
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

src/local/full-access-test.mjsView on unpkg · L21
21Trigger-reachable chain: manifest.bin -> bin/machine-mcp.mjs -> src/local/cli.mjs -> src/local/full-access-test.mjs L21: const keyPath = join(root, "ssh", "operator-ed25519"); L22: const authorizedKeysPath = join(root, "authorized_keys"); L23: const mainMarker = join(root, "managed-main.txt"); ... L26: const sentinelKey = `MBM_FULL_TEST_${Date.now()}`; L27: const previousSentinel = process.env[sentinelKey]; L28: process.env[sentinelKey] = "visible"; ... L56: const direct = await runtime.runDirectProcess({ L57: argv: [process.execPath, "-e", "process.stdout.write(process.cwd())"], L58: cwd: outsideDir, ... L68: L69: const shellCommand = process.platform === "win32" ? "[Console]::Out.Write('full-shell')" : "printf full-shell"; L70: const shell = await runtime.execCommand(shellCommand, 10);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/local/full-access-test.mjsView on unpkg · L21
mbm.cmdView file
path = mbm.cmd kind = build_helper sizeBytes = 183 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mbm.cmdView on unpkg
src/local/daemon.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = machine-bridge-mcp@0.6.2 matchedIdentity = npm:bWFjaGluZS1icmlkZ2UtbWNw:0.6.2 similarity = 0.368 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/local/daemon.mjsView on unpkg

Findings

3 Critical4 Medium5 Low
CriticalPersistence Backdoorsrc/local/full-access-test.mjs
CriticalTrigger Reachable Dangerous Capabilitysrc/local/full-access-test.mjs
CriticalPrevious Version Dangerous Deltasrc/local/daemon.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermbm.cmd
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings