registry  /  mcp-efficiency-engine  /  0.1.2

mcp-efficiency-engine@0.1.2

Motor de orquestacion para agentes MCP con routing por dominio y bootstrap portable.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates the consuming project, not just its own package directory. It drops an MCP configuration and enables a repository hook without explicit user invocation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall
Impact
A dependency installation can alter VS Code MCP command configuration and persist package workflows on later commits.
Mechanism
host-project scaffold plus MCP configuration and Git-hook installation
Policy narrative
On npm postinstall, `bin/install-host.js` selects the installer’s host directory, copies package-controlled project files including `.vscode/mcp.json`, and installs a local Git post-commit hook. The dropped MCP configuration declares external command servers, so installation changes an AI-agent control surface in the consuming project without an explicit setup command. The later bootstrap tooling also contains a remote-download-and-execute primitive, increasing the risk if the scaffolded workflow is used.
Rationale
Source inspection confirms an unconsented postinstall mutation of a foreign project’s AI-agent configuration and persistent Git hook. This meets the firewall block boundary even though direct exfiltration was not found.
Evidence
package.jsonbin/install-host.js.vscode/mcp.jsonscripts/setup/install-project-hooks.ps1scripts/setup/setup-prerequisites.ps1.githooks/post-commitscripts/ops/post-commit-refresh.ps1

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `bin/install-host.js --postinstall`.
  • `bin/install-host.js` targets `INIT_CWD`/cwd and copies a broad scaffold during postinstall.
  • The scaffold includes `.vscode`, which contains package-supplied MCP server commands.
  • Postinstall configures local `core.hooksPath=.githooks`, creating post-commit persistence.
  • `scripts/setup/setup-prerequisites.ps1` contains remote `Invoke-RestMethod | Invoke-Expression` for later bootstrap.
Evidence against
  • Postinstall detects noninteractive execution and skips the interactive bootstrap path.
  • Existing scaffold files are preserved unless `--force` is supplied.
  • No credential exfiltration or lifecycle network endpoint was confirmed.
  • LangSmith telemetry is disabled by default in `telemetry/config.json`.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 13.0 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/install-host.js --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/install-host.js --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install-host.jsView file
1Install-time AI-agent control hijack evidence: L27: "tooling", L28: "AGENTS.md", L29: "ARCHITECTURE.md", ... L148: function ensureDir(dirPath) { L149: fs.mkdirSync(dirPath, { recursive: true }); L150: } ... L163: L164: fs.copyFileSync(sourcePath, targetPath); L165: return { copied: true, skipped: false, reason: "copied" }; Payload evidence from AGENTS.md: L1: <!-- markdownlint-disable MD013 --> L2:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/install-host.jsView on unpkg · L1
scripts/context/build-repomix.ps1View file
path = scripts/context/build-repomix.ps1 kind = build_helper sizeBytes = 64 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/context/build-repomix.ps1View on unpkg

Findings

1 Critical1 High4 Medium2 Low
CriticalAi Agent Control Hijackbin/install-host.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helperscripts/context/build-repomix.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem