registry  /  mcp-efficiency-engine  /  0.1.3

mcp-efficiency-engine@0.1.3

Motor de orquestacion para agentes MCP con routing por dominio y bootstrap portable.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Npm postinstall mutates the consuming project rather than only this package directory. It drops package-controlled AI-agent/MCP configuration and installs a Git hook automatically.

Static reason
High-risk behavior combination matched malicious policy.; source fingerprint signature matched known malicious package; routed for review
Trigger
`npm install mcp-efficiency-engine@0.1.3`
Impact
A dependency install can alter future AI-agent behavior and commit-time execution in the host repository.
Mechanism
Postinstall scaffolds AI-agent control files and configures project Git hooks
Policy narrative
Installation invokes `bin/install-host.js` automatically. In normal noninteractive install contexts it copies an extensive scaffold into the installer’s project, including `AGENTS.md`, `.vscode/mcp.json`, `.github`, and `.githooks`, then sets the repository-local Git hook path. These files influence AI-agent tool configuration and subsequent repository operations outside the dependency directory without an explicit user command.
Rationale
Source inspection confirms an unconsented `postinstall` mutation of a foreign/broad AI-agent control surface plus Git-hook setup. The lack of exfiltration reduces scope but does not remove the concrete install-time control-surface behavior.
Evidence
package.jsonbin/install-host.js.vscode/mcp.jsonscripts/setup/install-project-hooks.ps1.githooks/post-commitAGENTS.md.github.githooksscripts/ops/post-commit-refresh.ps1

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `bin/install-host.js --postinstall`.
  • `bin/install-host.js` targets `INIT_CWD`/cwd and copies into that foreign project.
  • Postinstall copies `.vscode`, `AGENTS.md`, `.github`, and agent/MCP scaffolding.
  • Postinstall configures local Git `core.hooksPath` via `scripts/setup/install-project-hooks.ps1`.
  • `.vscode/mcp.json` registers package-supplied MCP server commands for the host workspace.
Evidence against
  • No network calls or credential harvesting appear in the postinstall path.
  • Existing scaffold files are preserved unless `--force` is supplied.
  • No obfuscated payload, eval, or binary loading was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 13.0 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/install-host.js --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/install-host.js --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install-host.jsView file
1Install-time AI-agent control hijack evidence: L27: "tooling", L28: "AGENTS.md", L29: "ARCHITECTURE.md", ... L148: function ensureDir(dirPath) { L149: fs.mkdirSync(dirPath, { recursive: true }); L150: } ... L163: L164: fs.copyFileSync(sourcePath, targetPath); L165: return { copied: true, skipped: false, reason: "copied" }; Payload evidence from AGENTS.md: L1: <!-- markdownlint-disable MD013 --> L2:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/install-host.jsView on unpkg · L1
matchType = malicious_source_fingerprint_signature signature = 5f95e75b999b9137 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = mcp-efficiency-engine@0.1.2 matchedPath = bin/install-host.js matchedIdentity = npm:bWNwLWVmZmljaWVuY3ktZW5naW5l:0.1.2 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin/install-host.jsView on unpkg
scripts/context/build-repomix.ps1View file
path = scripts/context/build-repomix.ps1 kind = build_helper sizeBytes = 64 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/context/build-repomix.ps1View on unpkg

Findings

1 Critical2 High4 Medium2 Low
CriticalAi Agent Control Hijackbin/install-host.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Fingerprint Signaturebin/install-host.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helperscripts/context/build-repomix.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem