AI Security Review
scanned 2d ago · by lpm-firewall-aiThe package is not confirmed malicious, but its postinstall hook starts the MCP server path and can clone the React docs repository during installation. This is package-aligned but should not occur from a version-check lifecycle hook.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall
Impact
Unexpected install-time network access and cache writes; no confirmed credential theft or persistence.
Mechanism
install-time server startup and git clone
Attack narrative
On install, package.json runs dist/index.js with --version. The entrypoint does not handle that flag; it configures the React docs preset and starts the MCP server, whose initialization clones the official React docs repo into a user cache directory if absent. No source evidence shows credential collection, exfiltration, destructive behavior, or AI-agent control-surface mutation.
Rationale
Static source inspection shows an install-time lifecycle misbehavior with package-aligned network/cache activity, but not a concrete malicious payload. Warn rather than block so consumers are aware of unexpected postinstall execution.
Evidence
package.jsondist/index.jsdist/server.jsdist/docsManager.jsdist/config.jsdist/embeddingService.jsdist/presets/reactDocs.jsREADME.md~/.cache/react-docs-mcp/react-dev-repo
Network endpoints3
github.com/reactjs/react.dev.gitreact.devXenova/all-MiniLM-L6-v2
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node dist/index.js --version
- dist/index.js ignores --version and starts createServer()
- dist/server.js calls docsManager.initialize() before stdio server startup
- dist/docsManager.js clones https://github.com/reactjs/react.dev.git to cache when missing
Evidence against
- No credential, env, or home-directory harvesting found
- No exfiltration endpoints beyond package-aligned GitHub/react docs URLs
- Network use is for React docs git clone and local embedding model download
- No eval/vm/Function or dynamic require/import found
- No destructive filesystem operations found
- MCP tools are documentation search, get_doc, list_sections, update_docs
Behavioral surface
EnvironmentVarsFilesystem
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node dist/index.js --version || echo 'Run: npx react-docs-mcp'
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node dist/index.js --version || echo 'Run: npx react-docs-mcp'
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings