registry  /  mcp-runrunit  /  1.8.0

mcp-runrunit@1.8.0

MCP server for Runrun.it API - Tasks, Comments, Projects

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Running the MCP server/bin and invoking runrunit_install_cursor_skills or runrunit_install_cursor_agents; share tools require explicit invocation and env credentials.
Impact
Could add package-owned Cursor skills/agents to user or project Cursor configuration if the user invokes the tool; no confirmed stealth persistence or credential exfiltration.
Mechanism
explicit MCP tools copy bundled agent/skill files and optionally submit PRs
Rationale
This is not malicious because the flagged capabilities are package-documented, user-invoked MCP tools and there is no install-time mutation or exfiltration chain. It still merits a warning because it can modify AI-agent control-surface files under Cursor when explicitly invoked.
Evidence
package.jsondist/application/install-cursor-skills.jsdist/application/install-cursor-agents.jsdist/application/share-cursor-github.jsdist/application/share-cursor-bitbucket.jsdist/adapters/driven/api.jsdist/adapters/driven/discord.jsdist/observability/sentry.jsdist/server.js~/.cursor/skills<project_root>/.cursor/skills~/.cursor/agents<project_root>/.cursor/agentsmcp-debug.log
Network endpoints4
runrun.it/api/v1.0discord.com/api/v10api.github.comapi.bitbucket.org/2.0

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/application/install-cursor-skills.js copies bundled cursor-skills into ~/.cursor/skills or project .cursor/skills when MCP tool is invoked
  • dist/application/install-cursor-agents.js copies bundled cursor-agents markdown into ~/.cursor/agents or project .cursor/agents when MCP tool is invoked
  • dist/application/share-cursor-github.js and share-cursor-bitbucket.js can open PRs with local cursor agent/skill files using host GitHub/Bitbucket credentials
  • dist/server.js writes mcp-debug.log during HTTP server runtime
Evidence against
  • package.json has no preinstall/install/postinstall; prepare only runs husky and build
  • Cursor writes are exposed as explicit MCP tools, not automatic install-time mutation
  • GitHub/Bitbucket tokens are read from server env and used for configured repo PR creation, not sent to arbitrary endpoints
  • Runrun.it and Discord network calls are package-aligned tool behavior
  • Sentry path redacts token/password/secret/api key fields before telemetry
  • No child_process execution or remote payload download found in runtime source
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 40 file(s), 979 KB of source, external domains: 127.0.0.1, api.bitbucket.org, api.github.com, discord.com, docs.github.com, fetch.spec.whatwg.org, figma.com, gist.github.com, github.com, json-schema.org, link-da-tarefa.com, mathiasbynens.be, raw.githubusercontent.com, runrun.it, spec.openapis.org, stackoverflow.com, tools.ietf.org, uploads.github.com, www.w3.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
1225// validation function arguments L1226: data: new codegen_1.Name("data"), L1227: // data passed to validation function ... L2252: id = normalizeId(id); L2253: return resolver.resolve(baseId, id); L2254: } ... L3112: for (i = 0; i < input.length; i++) { L3113: code = input[i].charCodeAt(0); L3114: if (code === 48) { ... L12164: var StdioServerTransport = class { L12165: constructor(_stdin = process2.stdin, _stdout = process2.stdout) { L12166: this._stdin = _stdin;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L1225
1225Trigger-reachable chain: manifest.main -> dist/index.js L1225: // validation function arguments L1226: data: new codegen_1.Name("data"), L1227: // data passed to validation function ... L2252: id = normalizeId(id); L2253: return resolver.resolve(baseId, id); L2254: } ... L3112: for (i = 0; i < input.length; i++) { L3113: code = input[i].charCodeAt(0); L3114: if (code === 48) { ... L12164: var StdioServerTransport = class { L12165: constructor(_stdin = process2.stdin, _stdout = process2.stdout) { L12166: this._stdin = _stdin;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1225
2941sourceCode = this.opts.code.process(sourceCode, sch); L2942: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2943: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L2941
dist/server.jsView file
9const __dirname = path.dirname(fileURLToPath(import.meta.url)); L10: const require = createRequire(import.meta.url); L11: const streamableHttpPath = path.join(__dirname, '..', 'node_modules', '@modelcontextprotocol', 'sdk', 'dist', 'esm', 'server', 'streamableHttp.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server.jsView on unpkg · L9

Findings

2 Critical4 Medium7 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumDynamic Requiredist/server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License