registry  /  netsuite-supermcp  /  0.1.19

netsuite-supermcp@0.1.19

A NetSuite MCP server with OAuth, REST/RESTlet tools, client installers, and account permission probes.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs netsuite-supermcp setup, install, public-url, suitecloud, or related bin commands
Impact
Warn-level agent capability exposure; no unconsented install-time hijack or exfiltration confirmed
Mechanism
Explicit MCP client config mutation and package-aligned network/helper execution
Rationale
Static inspection shows warn-level explicit AI-agent MCP configuration writes, but the npm postinstall is inert and the dangerous primitives are user-invoked and package-aligned. There is no concrete malicious chain or unconsented install-time mutation, so block is not warranted.
Evidence
package.jsonbin/postinstall.mjsbin/netsuite-supermcp.mjsscripts/install-clients.tsscripts/client-installer/config.tsscripts/client-installer/targets.tsscripts/public-url.tssrc/netsuite/client.ts.env~/.codex/config.toml.mcp.json~/AppData/Roaming/Claude/claude_desktop_config.json~/.cursor/mcp.json~/.gemini/settings.json.vscode/mcp.json
Network endpoints7
dashboard.ngrok.com/get-started/your-authtokenbin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-amd64.zipbin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-darwin-arm64.zipbin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-darwin-amd64.zipbin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-arm64.tgzbin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz127.0.0.1:4040/api/tunnels

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • scripts/install-clients.ts explicitly writes MCP server entries to Codex, Claude, Cursor, Gemini, VS Code, and other agent configs when run
  • scripts/client-installer/config.ts embeds NetSuite OAuth/env values including client secret and refresh token into agent config env blocks
  • scripts/public-url.ts downloads and executes ngrok on explicit public-url command and disables MCP auth for the tunnel flow
  • scripts/suitecloud-project.ts can install helper tooling during explicit SuiteCloud/public-url workflows
Evidence against
  • bin/postinstall.mjs only prints setup guidance and does not write files, run network calls, or mutate agent configs
  • No install-time preinstall/install/postinstall mutation of foreign AI-agent control surfaces was found
  • Network calls are package-aligned: NetSuite REST/RESTlet APIs, localhost MCP health checks, ngrok download/API, and OAuth/browser setup
  • Child-process use is command-wrapper behavior around bun, browser open, ngrok, SuiteCloud/JDK setup, and user-invoked helper commands
  • No credential harvesting or exfiltration endpoint outside configured NetSuite/ngrok/OAuth flows was found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 197 KB of source, external domains: 1234567-sb1.restlets.api.netsuite.com, 1234567-sb1.suitetalk.api.netsuite.com, 127.0.0.1, api.adoptium.net, bin.equinox.io, bun.sh, dashboard.ngrok.com, docs.oracle.com, system.netsuite.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/netsuite-supermcp-switch-account.mjsView file
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process" L3: import { dirname, join } from "node:path"
High
Child Process

Package source references child process execution.

bin/netsuite-supermcp-switch-account.mjsView on unpkg · L1
scripts/public-url.tsView file
matchType = previous_version_dangerous_delta matchedPackage = netsuite-supermcp@0.1.9 matchedIdentity = npm:bmV0c3VpdGUtc3VwZXJtY3A:0.1.9 similarity = 0.745 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/public-url.tsView on unpkg
254const result = spawnSync( L255: "powershell.exe", L256: [
High
Shell

Package source references shell execution.

scripts/public-url.tsView on unpkg · L254
scripts/smoke.tsView file
1import { type ChildProcess, spawn } from "node:child_process" L2: import { rm } from "node:fs/promises" ... L6: const SmokeConfigSchema = z.object({ L7: baseUrl: z.string().url().default("http://127.0.0.1:3125"), L8: token: z.string().min(12).default("test-token-12345"), ... L11: const config = SmokeConfigSchema.parse({ L12: baseUrl: process.env["SMOKE_BASE_URL"], L13: token: process.env["MCP_BEARER_TOKEN"],
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/smoke.tsView on unpkg · L1
bin/netsuite-supermcp-setup.mjsView file
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process" L3: import { dirname, join } from "node:path" ... L8: encoding: "utf8", L9: shell: process.platform === "win32", L10: }) ... L12: console.error("NetSuite SuperMCP setup needs Bun.") L13: console.error("Install Bun: https://bun.sh/docs/installation") L14: console.error("Then rerun: netsuite-supermcp setup")
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/netsuite-supermcp-setup.mjsView on unpkg · L1
scripts/suitecloud-project.tsView file
63console.log("") L64: console.log("This uses npx for Oracle SuiteCloud CLI and manages a portable JDK on Windows.") L65: } ... L68: function ensureSuiteCloudJavaEnv(): NodeJS.ProcessEnv { L69: const java = spawnSync("java", ["-version"], { L70: encoding: "utf8",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/suitecloud-project.tsView on unpkg · L63
setup.shView file
path = setup.sh kind = build_helper sizeBytes = 1116 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

setup.shView on unpkg

Findings

1 Critical6 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/public-url.ts
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/netsuite-supermcp-switch-account.mjs
HighShellscripts/public-url.ts
HighSame File Env Network Executionscripts/smoke.ts
HighSandbox Evasion Gated Capabilitybin/netsuite-supermcp-setup.mjs
HighRuntime Package Installscripts/suitecloud-project.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersetup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings