registry  /  port-authority-agent-terminal-mcp  /  0.3.10

port-authority-agent-terminal-mcp@0.3.10

Cross-platform (Windows + macOS) lane coordinator for AI coding agents (Claude, Codex, etc.) — keeps multiple local agents from colliding on dev-server ports, Chrome debug ports, and Chrome user profiles. Includes a CLI, an MCP server, and a native Tauri

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time hook mutates broad AI-agent MCP control surfaces without an explicit user command. It registers this package as an MCP server for Claude Desktop, Codex Desktop, and Claude Code.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm global install or local self install postinstall
Impact
AI agents may load and execute the package MCP server after install, expanding agent capabilities and persistence in user agent configs.
Mechanism
unconsented AI-agent MCP config mutation during postinstall
Policy narrative
On install, the postinstall hook locates the package CLI, stages its dashboard binary, and automatically runs install-mcp. That code edits Claude Desktop and Codex Desktop config files and delegates to the Claude CLI to add/remove MCP entries, causing future AI-agent sessions to expose this package's MCP tools without a separate user command.
Rationale
Although the package appears aligned with local port/browser coordination and I found no exfiltration, its postinstall performs unconsented mutation of foreign AI-agent MCP control surfaces. Under the install control-surface policy this is a publish-block condition. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/postinstall.cjsdist/src/cli/install-mcp.jsdist/src/cli/autostart.jsdist/src/cli/shortcut.jsdist/src/core/chrome.jsdist/src/core/pagecontrol.jsdist/src/mcp/server.js%APPDATA%/Claude/claude_desktop_config.json~/.codex/config.toml~/.claude.json%LOCALAPPDATA%/PAAT/paat-dashboard.exe%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/Port Authority Agent Terminal.lnk~/.portpilot/bin/paat-dashboard
Network endpoints4
127.0.0.1:<port>/json/listws://127.0.0.1:<port>/sessiondocs.claude.com/en/claude-code/quickstartrustup.rs

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall running scripts/postinstall.cjs
  • scripts/postinstall.cjs automatically runs CLI install-mcp unless PAAT_SKIP_INSTALL_MCP=1
  • dist/src/cli/install-mcp.js writes %APPDATA%/Claude/claude_desktop_config.json
  • dist/src/cli/install-mcp.js writes ~/.codex/config.toml MCP server entry
  • dist/src/cli/install-mcp.js invokes claude mcp remove/add for Claude Code user config
  • scripts/postinstall.cjs also stages dashboard binary and on Windows installs shortcut/autostart
Evidence against
  • postinstall skips CI, transitive installs, and PAAT_SKIP_POSTINSTALL=1
  • MCP entries point to this package CLI with args [index.js, mcp], not a remote payload
  • existing Claude/Codex configs are backed up before writes
  • no credential harvesting or external exfiltration endpoints found in inspected source
  • browser automation is lane/profile-gated and localhost-oriented
  • native dashboard binary is package-aligned but not deeply reverse engineered
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 52 file(s), 407 KB of source, external domains: 127.0.0.1, docs.claude.com, rustup.rs

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('./scripts/postinstall.cjs')}catch(e){if(e&&e.code==='MODULE_NOT_FOUND'&&String(e.message).includes('scripts/postinstall.cjs')){console.warn('[paat postinstall...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('./scripts/postinstall.cjs')}catch(e){if(e&&e.code==='MODULE_NOT_FOUND'&&String(e.message).includes('scripts/postinstall.cjs')){console.warn('[paat postinstall...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/src/core/pagejs.jsView file
18// new Function only PARSES here — nothing is executed. L19: new Function(`return (${expr});`); L20: return expr;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/core/pagejs.jsView on unpkg · L18
scripts/build-dashboard-tauri.cjsView file
31L32: const { spawnSync } = require("node:child_process"); L33: const path = require("node:path"); ... L36: L37: const repoRoot = path.resolve(__dirname, ".."); L38: const guiDir = path.join(repoRoot, "gui"); ... L43: L44: function log(msg) { process.stdout.write(`[build-dashboard] ${msg}\n`); } L45: function warn(msg) { process.stderr.write(`[build-dashboard] ${msg}\n`); } ... L48: * doesn't auto-append .cmd on Windows when shell:false, so we have to. */ L49: function npmCmd() { return process.platform === "win32" ? "npm.cmd" : "npm"; } L50: function cargoCmd() { return process.platform === "win32" ? "cargo.exe" : "cargo"; }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/build-dashboard-tauri.cjsView on unpkg · L31
bin/paat-dashboard.exeView file
path = bin/paat-dashboard.exe kind = native_binary sizeBytes = 9733120 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/paat-dashboard.exeView on unpkg
dist/src/core/chrome.jsView file
matchType = previous_version_dangerous_delta matchedPackage = port-authority-agent-terminal-mcp@0.3.6 matchedIdentity = npm:[redacted]:0.3.6 similarity = 0.773 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/core/chrome.jsView on unpkg

Findings

2 Critical2 High4 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalPrevious Version Dangerous Deltadist/src/core/chrome.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityscripts/build-dashboard-tauri.cjs
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarybin/paat-dashboard.exe
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/core/pagejs.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings