registry  /  send16-mcp  /  0.5.1

send16-mcp@0.5.1

MCP server for Send16 email platform — full coverage including inbox, automations, actions, topics, audiences, segments, brand, suppressions, and webhooks. Stdio + HTTP transports.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `send16-mcp install` with an API key or SEND16_API_KEY.
Impact
Future AI-client launches can execute the configured MCP server with the supplied Send16 credential; MCP tools can perform email-platform actions requested by the client.
Mechanism
Explicit AI-client MCP configuration mutation and Send16 API proxying.
Rationale
Source inspection confirms an explicit multi-host AI-agent configuration installer, not automatic malicious execution. Per policy, this guarded user-command mutation warrants a warning rather than a block.
Evidence
package.jsondist/index.jsdist/install-4NVVSMNV.jsdist/install-GUE465UP.jsREADME.md
Network endpoints1
api.send16.com

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` dispatches `install` only when explicitly invoked.
  • `dist/install-4NVVSMNV.js` writes MCP entries to Claude, Cursor, Claude Code, and Windsurf configs.
  • Installer stores `SEND16_API_KEY` in generated host configuration.
  • Generated MCP config runs `npx -y send16-mcp` on host startup.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No child-process, shell, eval, native loading, or hidden import-time filesystem writes were found.
  • `dist/index.js` sends authenticated requests only to configured Send16 API base URL.
  • Config mutation is guarded behind the explicit `send16-mcp install` command.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 3 file(s), 74.2 KB of source, external domains: 0.0.0.0, api.send16.com, send16.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/index.js` dispatches `install` only when explicitly invoked.

dist/index.jsView on unpkg
dist/install-4NVVSMNV.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/install-4NVVSMNV.js` writes MCP entries to Claude, Cursor, Claude Code, and Windsurf configs.

dist/install-4NVVSMNV.jsView on unpkg

Findings

6 Medium6 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/index.js
MediumAi Review Evidencedist/install-4NVVSMNV.js
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License