registry  /  protect-mcp  /  0.7.4

protect-mcp@0.7.4

⚠ Under review

Fail-closed Cedar policy gate + signed receipts for AI agent tool calls. Blocks what breaks the rules before it runs, denies on any policy error, and proves the gate is live with a startup self-test.

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 5.33 MB of source, external domains: 0.0.0.0, 127.0.0.1, api.e2b.dev, api.resend.com, api.scopeblind.com, api.twilio.com, datatracker.ietf.org, e2b.dev, example.com, gist.github.com, github.com, json-schema.org, legate.scopeblind.com, mathiasbynens.be, npmjs.com, raw.githubusercontent.com, rekor.sigstore.dev, scopeblind.com, search.sigstore.dev, spec.openapis.org, stackoverflow.com, tools.ietf.org, veritasacta.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/chunk-UBZJ3VI2.mjsView file
586// src/gateway.ts L587: import { spawn } from "child_process"; L588: import { randomUUID, randomBytes } from "crypto";
High
Child Process

Package source references child process execution.

dist/chunk-UBZJ3VI2.mjsView on unpkg · L586
dist/chunk-KPSICBAJ.mjsView file
29158sourceCode = this.opts.code.process(sourceCode, sch); L29159: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L29160: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunk-KPSICBAJ.mjsView on unpkg · L29158
dist/hook-server.jsView file
25module.exports = __toCommonJS(hook_server_exports); L26: var import_node_http2 = require("http"); L27: var import_node_crypto4 = require("crypto");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/hook-server.jsView on unpkg · L25
dist/index.jsView file
42673try { L42674: const { execSync } = await import("child_process"); L42675: execSync(`docker rm -f ${sandbox.id} 2>/dev/null`, { stdio: "pipe" }); ... L42680: async function createE2BSandbox(config) { L42681: const apiKey = config.apiKey || process.env.E2B_API_KEY; L42682: if (!apiKey) { L42683: throw new Error("E2B_API_KEY not set. Get one at https://e2b.dev"); L42684: }
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.jsView on unpkg · L42673
480Trigger-reachable chain: manifest.main -> dist/index.js L480: issueData, L481: data: ctx.data, L482: path: ctx.path, ... L965: var ipv6CidrRegex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}... L966: var base64Regex = /^([0-9a-zA-Z+/]{4})*(([0-9a-zA-Z+/]{2}==)|([0-9a-zA-Z+/]{3}=))?$/; L967: var base64urlRegex = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/; ... L6379: try { L6380: new URL(`http://[${payload.value}]`); L6381: } catch { ... L28497: id = normalizeId(id); L28498: return resolver.resolve(baseId, id); L28499: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L480
480issueData, L481: data: ctx.data, L482: path: ctx.path, ... L965: var ipv6CidrRegex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}... L966: var base64Regex = /^([0-9a-zA-Z+/]{4})*(([0-9a-zA-Z+/]{2}==)|([0-9a-zA-Z+/]{3}=))?$/; L967: var base64urlRegex = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/; ... L6379: try { L6380: new URL(`http://[${payload.value}]`); L6381: } catch { ... L28497: id = normalizeId(id); L28498: return resolver.resolve(baseId, id); L28499: }
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L480
dist/cli.jsView file
35Cross-file remote execution chain: dist/cli.js spawns dist/demo-server.js; helper contains network access plus dynamic code execution. L35: const raw = (0, import_node_fs.readFileSync)(path, "utf-8"); L36: const parsed = JSON.parse(raw); L37: if (!parsed.tools || typeof parsed.tools !== "object") { ... L131: constructor(dir) { L132: this.filePath = (0, import_node_path.join)(dir || process.cwd(), ".protect-mcp-evidence.json"); L133: this.load(); ... L320: const config = credentials[label]; L321: const value = process.env[config.value_env]; L322: if (!value) { ... L383: keyData = JSON.parse((0, import_node_fs3.readFileSync)(config.key_path, "utf-8")); L384: if (!keyData.privateKey || !keyData.publicKey) { L385: signingInitError = "key file missing privateKey or publicKey fields";
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L35

Findings

2 Critical4 High4 Medium7 Low
CriticalSame File Env Network Executiondist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/chunk-UBZJ3VI2.mjs
HighShell
HighCredential Exfiltrationdist/index.js
HighCross File Remote Execution Contextdist/cli.js
MediumDynamic Requiredist/hook-server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/chunk-KPSICBAJ.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings