registry  /  machine-bridge-mcp  /  0.8.0

machine-bridge-mcp@0.8.0

Cross-client MCP bridge for canonical local automation, files, Git, SSH resources, managed jobs, and processes over stdio or an OAuth-protected remote relay.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package intentionally provides local MCP automation, including optional shell and filesystem access, only after explicit runtime invocation and policy selection.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs the CLI/MCP server and selects the `full` profile or invokes `full-test`.
Impact
Can execute commands and modify files with the permissions deliberately granted to the MCP runtime; no install-time execution, stealth persistence, or credential exfiltration was confirmed.
Mechanism
User-directed local automation and authenticated remote relay.
Rationale
Scanner findings conflate an explicitly invoked full-access self-test with persistence/backdoor behavior. Source inspection found package-aligned, user-invoked automation and no concrete malicious chain.
Evidence
package.jsonbin/machine-mcp.mjssrc/local/cli.mjssrc/local/tools.mjssrc/local/full-access-test.mjssrc/local/relay-connection.mjssrc/local/service.mjssrc/worker/index.ts

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `src/local/tools.mjs` defines an explicit `full` profile with shell execution, writes, unrestricted paths, and inherited environment.
  • `src/local/full-access-test.mjs` exercises SSH key generation and file writes, but only under a user-invoked test command and a fresh temporary directory.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook; `prepublishOnly` is publisher-only.
  • `bin/machine-mcp.mjs` only invokes the CLI after the user runs a package binary.
  • `src/local/cli.mjs` exposes privileged behavior through explicit commands/profile flags, including `full-test`, `start`, and `resource`.
  • `src/local/full-access-test.mjs` creates its test root with `mkdtemp` and removes it in `finally`; its `authorized_keys` file is temporary.
  • `src/local/tools.mjs` has restrictive `review`, `edit`, and `agent` profiles; shell execution is gated to `full`.
  • `src/local/relay-connection.mjs` uses a configured Worker URL and a required daemon secret rather than a hard-coded exfiltration endpoint.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 361 KB of source, external domains: www.apple.com

Source & flagged code

4 flagged · loading source
src/local/full-access-test.mjsView file
21const keyPath = join(root, "ssh", "operator-ed25519"); L22: const authorizedKeysPath = join(root, "authorized_keys"); L23: const mainMarker = join(root, "managed-main.txt"); ... L26: const sentinelKey = `MBM_FULL_TEST_${Date.now()}`; L27: const previousSentinel = process.env[sentinelKey]; L28: process.env[sentinelKey] = "visible"; ... L56: const direct = await runtime.runDirectProcess({ L57: argv: [process.execPath, "-e", "process.stdout.write(process.cwd())"], L58: cwd: outsideDir, ... L68: L69: const shellCommand = process.platform === "win32" ? "[Console]::Out.Write('full-shell')" : "printf full-shell"; L70: const shell = await runtime.execCommand(shellCommand, 10);
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

src/local/full-access-test.mjsView on unpkg · L21
21Trigger-reachable chain: manifest.bin -> bin/machine-mcp.mjs -> src/local/cli.mjs -> src/local/full-access-test.mjs L21: const keyPath = join(root, "ssh", "operator-ed25519"); L22: const authorizedKeysPath = join(root, "authorized_keys"); L23: const mainMarker = join(root, "managed-main.txt"); ... L26: const sentinelKey = `MBM_FULL_TEST_${Date.now()}`; L27: const previousSentinel = process.env[sentinelKey]; L28: process.env[sentinelKey] = "visible"; ... L56: const direct = await runtime.runDirectProcess({ L57: argv: [process.execPath, "-e", "process.stdout.write(process.cwd())"], L58: cwd: outsideDir, ... L68: L69: const shellCommand = process.platform === "win32" ? "[Console]::Out.Write('full-shell')" : "printf full-shell"; L70: const shell = await runtime.execCommand(shellCommand, 10);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/local/full-access-test.mjsView on unpkg · L21
mbm.cmdView file
path = mbm.cmd kind = build_helper sizeBytes = 183 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mbm.cmdView on unpkg
src/local/job-runner.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = machine-bridge-mcp@0.7.1 matchedIdentity = npm:bWFjaGluZS1icmlkZ2UtbWNw:0.7.1 similarity = 0.636 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/local/job-runner.mjsView on unpkg

Findings

3 Critical4 Medium5 Low
CriticalPersistence Backdoorsrc/local/full-access-test.mjs
CriticalTrigger Reachable Dangerous Capabilitysrc/local/full-access-test.mjs
CriticalPrevious Version Dangerous Deltasrc/local/job-runner.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermbm.cmd
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings