registry  /  mcp-efficiency-engine  /  0.1.0

mcp-efficiency-engine@0.1.0

Motor de orquestacion para agentes MCP con routing por dominio y bootstrap portable.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates a host project during npm postinstall by copying AI-agent/MCP control files and agent instructions into INIT_CWD. This is an unconsented install-time write to a broad foreign AI-agent control surface.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of mcp-efficiency-engine@0.1.0
Impact
Can introduce package-supplied MCP server configuration and AGENTS.md instructions into the installing project without an explicit user command.
Mechanism
postinstall scaffold copy into host project
Policy narrative
On npm install, package.json runs bin/install-host.js with --postinstall. The installer targets INIT_CWD/process.cwd, then copies scaffold entries including .vscode/mcp.json and AGENTS.md into the host project unless they already differ. The injected MCP config defines multiple agent tooling servers and AGENTS.md supplies operating instructions, creating an unconsented agent control-surface mutation at install time.
Rationale
Source inspection confirms unconsented postinstall mutation of foreign AI-agent control files, which meets the firewall block policy even without exfiltration. Bootstrap/network-heavy setup is skipped during npm non-interactive install, but the install-time control-surface write remains concrete. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonbin/install-host.js.vscode/mcp.jsonscripts/intake/init-template-registry.ps1AGENTS.mdscripts/policies/memory/orchestrator/repo-registry/repos.ymlrepo-intake/generated/reports/

Decision evidence

public snapshot
AI called this Malicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node ./bin/install-host.js --postinstall
  • bin/install-host.js defaults targetDir to INIT_CWD/process.cwd and copies scaffoldEntries into host project
  • scaffoldEntries include .vscode, AGENTS.md, scripts, policies, memory, orchestrator, and tooling
  • packaged .vscode/mcp.json defines MCP servers: token-saver-mcp, codebase-memory-mcp, codegraph, gitnexus, repomix, graphify
  • postinstall creates runtime dirs and repo-registry/repos.yml via scripts/intake/init-template-registry.ps1 in non-interactive npm installs
Evidence against
  • bin/install-host.js skips host scaffold when target is packageRoot
  • copyFile preserves differing existing files unless --force
  • npm postinstall non-interactive path omits bootstrap and does not run setup-prerequisites.ps1
  • No credential harvesting or exfiltration found in inspected entrypoints
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 12.4 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/install-host.js --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/install-host.js --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install-host.jsView file
1Install-time AI-agent control hijack evidence: L26: "tooling", L27: "AGENTS.md", L28: "ARCHITECTURE.md", ... L147: function ensureDir(dirPath) { L148: fs.mkdirSync(dirPath, { recursive: true }); L149: } ... L162: L163: fs.copyFileSync(sourcePath, targetPath); L164: return { copied: true, skipped: false, reason: "copied" }; Payload evidence from AGENTS.md: L1: <!-- markdownlint-disable MD013 --> L2:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/install-host.jsView on unpkg · L1
scripts/context/build-repomix.ps1View file
path = scripts/context/build-repomix.ps1 kind = build_helper sizeBytes = 64 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/context/build-repomix.ps1View on unpkg

Findings

1 Critical1 High4 Medium2 Low
CriticalAi Agent Control Hijackbin/install-host.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helperscripts/context/build-repomix.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem