AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI intentionally proxies a user-selected local MCP server and can optionally expose its local HTTP listener through a user-requested tunnel.
Decision evidence
public snapshot- `src/bin/mcp-proxy.ts` forwards the user-supplied command, arguments, and environment to a child process.
- `src/StdioClientTransport.ts` uses `spawn`; shell execution is disabled unless the user explicitly passes `--shell`.
- `src/bin/mcp-proxy.ts` optionally opens a public tunnel only when `--tunnel` is supplied.
- `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
- No source writes agent configuration, shell profiles, persistence files, or arbitrary package files.
- `src/startHTTPServer.ts` only reads user-specified TLS CA/certificate/key paths.
- Bundled profile-write strings are dormant yargs localization/completion dependency code, not invoked by package source.
- No credential harvesting, exfiltration logic, remote payload loading, eval, or VM execution found.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/bin/mcp-proxy.mjsView on unpkg · L12Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/bin/mcp-proxy.mjsView on unpkg · L12Package source references dynamic require/import behavior.
dist/bin/mcp-proxy.mjsView on unpkg · L1445Source writes installer persistence such as shell profile or service configuration.
dist/bin/mcp-proxy.mjsView on unpkg · L12Package source references a known benign dynamic code generation pattern.
dist/stdio-DNR9B0BZ.mjsView on unpkg · L294