registry  /  mcp-efficiency-engine  /  0.1.1

mcp-efficiency-engine@0.1.1

Motor de orquestacion para agentes MCP con routing por dominio y bootstrap portable.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The npm postinstall hook mutates the consumer project automatically. It drops package-supplied VS Code MCP agent configuration and instruction files into the host repository.

Static reason
High-risk behavior combination matched malicious policy.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm installation, via the automatic `postinstall` lifecycle hook
Impact
A dependency install can add MCP server commands and agent instructions to a foreign project without explicit user invocation.
Mechanism
recursive host-project scaffolding of AI-agent control files
Policy narrative
On npm install, `package.json` invokes `bin/install-host.js --postinstall`. The installer targets `MCPEE_TARGET_DIR`, `INIT_CWD`, or the current directory, recursively copies package scaffold entries, including `.vscode` and `AGENTS.md`, and creates runtime directories. Thus an ordinary dependency installation can inject a package-selected MCP configuration into the consuming repository. The copied `.vscode/mcp.json` configures several agent/tool commands, creating a broad AI-agent control-surface mutation without an explicit setup command.
Rationale
Source inspection confirms an unconsented postinstall write to a foreign host project's AI-agent configuration surface. This meets the install-control-surface block boundary even though no exfiltration or remote payload was found.
Evidence
package.jsonbin/install-host.js.vscode/mcp.json.githubAGENTS.mdscriptsorchestrator

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node ./bin/install-host.js --postinstall`.
  • `bin/install-host.js` defaults the target to `INIT_CWD` or current directory.
  • Postinstall recursively copies package `.vscode` and `AGENTS.md` into that target.
  • `.vscode/mcp.json` registers MCP commands including `token-saver-mcp`, `codegraph`, `gitnexus`, `repomix`, and `graphify`.
  • Existing target files are preserved, but absent AI-agent config is created without user confirmation.
Evidence against
  • No credential harvesting or network exfiltration was found in reviewed Node install code.
  • No remote URL, downloaded payload, `eval`, or shell-string execution appears in `bin/install-host.js`.
  • Noninteractive install skips the interactive bootstrap script after scaffolding.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 12.4 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/install-host.js --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/install-host.js --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install-host.jsView file
1Install-time AI-agent control hijack evidence: L26: "tooling", L27: "AGENTS.md", L28: "ARCHITECTURE.md", ... L147: function ensureDir(dirPath) { L148: fs.mkdirSync(dirPath, { recursive: true }); L149: } ... L162: L163: fs.copyFileSync(sourcePath, targetPath); L164: return { copied: true, skipped: false, reason: "copied" }; Payload evidence from AGENTS.md: L1: <!-- markdownlint-disable MD013 --> L2:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/install-host.jsView on unpkg · L1
matchType = malicious_source_fingerprint_signature signature = 718b8bdb8b4a997a signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = mcp-efficiency-engine@0.1.0 matchedPath = bin/install-host.js matchedIdentity = npm:bWNwLWVmZmljaWVuY3ktZW5naW5l:0.1.0 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin/install-host.jsView on unpkg
scripts/context/build-repomix.ps1View file
path = scripts/context/build-repomix.ps1 kind = build_helper sizeBytes = 64 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/context/build-repomix.ps1View on unpkg

Findings

1 Critical2 High4 Medium2 Low
CriticalAi Agent Control Hijackbin/install-host.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Fingerprint Signaturebin/install-host.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helperscripts/context/build-repomix.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem