registry  /  machine-bridge-mcp  /  1.0.8

machine-bridge-mcp@1.0.8

Cross-client MCP bridge for local agent context, structured browser and application automation, files, Git, processes, resources, and durable jobs over stdio or OAuth relay.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the CLI or configures an MCP client to invoke `machine-mcp stdio` with the default/full profile.
Impact
A connected MCP client can perform shell commands and unrestricted local operations when the full policy is active.
Mechanism
Policy-gated MCP filesystem, process, browser, and local-application automation.
Rationale
No concrete malicious payload, credential exfiltration, stealth persistence, or unconsented lifecycle mutation was found. The default full-capability MCP service remains a real dangerous dual-use capability and merits a warning rather than a block.
Evidence
package.jsonbin/machine-mcp.mjssrc/local/cli.mjssrc/local/process-execution.mjssrc/local/full-access-test.mjssrc/shared/policy-contract.jsonsrc/shared/tool-catalog.jsonsrc/local/runtime.mjs

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/shared/policy-contract.json` defaults to `full`, enabling writes, shell execution, unrestricted paths, and full environment.
  • `bin/machine-mcp.mjs` starts `src/local/cli.mjs`, whose `stdio` service exposes MCP tool calls.
  • `src/local/process-execution.mjs` implements policy-gated direct and shell process execution for MCP calls.
  • `src/shared/tool-catalog.json` includes full-profile filesystem, browser, application, and command-execution capabilities.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook; only publish-time checks are present.
  • `client-config` in `src/local/cli.mjs` prints configuration snippets rather than modifying Claude, Cursor, or Codex settings.
  • `src/local/full-access-test.mjs` writes SSH material only under a temporary test directory and removes it in cleanup.
  • Network relay code accepts a configured WebSocket URL; no hard-coded exfiltration endpoint was found in inspected runtime sources.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 93 file(s), 789 KB of source, external domains: 127.0.0.1, chat.openai.com, chatgpt.com, grok.com, registry.npmjs.org, www.apple.com, x.com

Source & flagged code

6 flagged · loading source
scripts/generate-worker-types.mjsView file
1import { spawnSync } from "node:child_process"; L2: import { mkdirSync } from "node:fs";
High
Child Process

Package source references child process execution.

scripts/generate-worker-types.mjsView on unpkg · L1
src/local/cli-local-admin.mjsView file
257: process.platform === "win32" L258: ? { file: "cmd.exe", args: ["/d", "/s", "/c", "start", "", target] } L259: : { file: "xdg-open", args: [target] };
High
Shell

Package source references shell execution.

src/local/cli-local-admin.mjsView on unpkg · L257
scripts/prepare-pinned-npm.mjsView file
1import { spawnSync } from "node:child_process"; L2: import { createHash } from "node:crypto"; ... L7: const NPM_VERSION = "12.0.1"; L8: const NPM_TARBALL_URL = "https://registry.npmjs.org/npm/-/npm-12.0.1.tgz"; L9: const NPM_TARBALL_INTEGRITY = "sha512-[redacted]=="; ... L11: L12: const githubPath = process.env.GITHUB_PATH; L13: if (!githubPath) throw new Error("GITHUB_PATH is required; this bootstrap is intended for GitHub Actions");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/prepare-pinned-npm.mjsView on unpkg · L1
src/local/full-access-test.mjsView file
22const keyPath = join(root, "ssh", "operator-ed25519"); L23: const authorizedKeysPath = join(root, "authorized_keys"); L24: const mainMarker = join(root, "managed-main.txt"); ... L27: const sentinelKey = `MBM_FULL_TEST_${Date.now()}`; L28: const previousSentinel = process.env[sentinelKey]; L29: process.env[sentinelKey] = "visible"; ... L57: const direct = await runtime.runDirectProcess({ L58: argv: [process.execPath, "-e", "process.stdout.write(process.cwd())"], L59: cwd: outsideDir, ... L69: L70: const shellCommand = process.platform === "win32" ? "[Console]::Out.Write('full-shell')" : "printf full-shell"; L71: const shell = await runtime.execCommand(shellCommand, 10);
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

src/local/full-access-test.mjsView on unpkg · L22
22Trigger-reachable chain: manifest.bin -> bin/machine-mcp.mjs -> src/local/cli.mjs -> src/local/full-access-test.mjs L22: const keyPath = join(root, "ssh", "operator-ed25519"); L23: const authorizedKeysPath = join(root, "authorized_keys"); L24: const mainMarker = join(root, "managed-main.txt"); ... L27: const sentinelKey = `MBM_FULL_TEST_${Date.now()}`; L28: const previousSentinel = process.env[sentinelKey]; L29: process.env[sentinelKey] = "visible"; ... L57: const direct = await runtime.runDirectProcess({ L58: argv: [process.execPath, "-e", "process.stdout.write(process.cwd())"], L59: cwd: outsideDir, ... L69: L70: const shellCommand = process.platform === "win32" ? "[Console]::Out.Write('full-shell')" : "printf full-shell"; L71: const shell = await runtime.execCommand(shellCommand, 10);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/local/full-access-test.mjsView on unpkg · L22
mbm.cmdView file
path = mbm.cmd kind = build_helper sizeBytes = 183 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mbm.cmdView on unpkg

Findings

2 Critical3 High4 Medium5 Low
CriticalPersistence Backdoorsrc/local/full-access-test.mjs
CriticalTrigger Reachable Dangerous Capabilitysrc/local/full-access-test.mjs
HighChild Processscripts/generate-worker-types.mjs
HighShellsrc/local/cli-local-admin.mjs
HighSame File Env Network Executionscripts/prepare-pinned-npm.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermbm.cmd
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings