registry  /  sensorium-mcp  /  3.0.94

sensorium-mcp@3.0.94

MCP server for remote control of AI assistants via Telegram

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User starts the server in HTTP mode, creates managed Codex/Claude/Copilot threads, or explicitly runs `Install-Sensorium.ps1`.
Impact
Telegram-directed tasks can run through AI CLIs with bypassed safeguards; a later published npm version can execute automatically.
Mechanism
Detached privileged agent spawning plus registry-driven self-update.
Rationale
The behavior is package-aligned remote-agent orchestration, not proven malware, but it creates substantial dangerous capability and registry-driven runtime code execution. It merits a warning rather than a publish block.
Evidence
package.jsondist/index.jsdist/services/self-update.service.jsdist/services/codex-spawn.service.jsdist/services/claude-spawn.service.jsInstall-Sensorium.ps1~/.claude/.credentials.json~/.remote-copilot-mcp/claude-configs/<threadId>/.credentials.json~/.remote-copilot-mcp/maintenance.flag~/.remote-copilot-mcp/bin/sensorium-supervisor.exeWindows Startup/SensoriumSupervisor.cmd
Network endpoints3
registry.npmjs.org/sensorium-mcp/latestapi.github.com/repos/andriyshevchenko/sensorium-mcp/releases/tags/supervisor-latestapi.telegram.org

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/services/codex-spawn.service.js` launches `codex exec --dangerously-bypass-approvals-and-sandbox` in an infinite task-polling loop.
  • `dist/services/claude-spawn.service.js` copies `~/.claude/.credentials.json` to a per-thread config and launches Claude with `--dangerously-skip-permissions`.
  • `dist/services/self-update.service.js` polls npm and spawns `npx` with `shell:true` to execute a newer package version.
  • `Install-Sensorium.ps1` downloads a supervisor executable and creates a Windows Startup launcher when explicitly run.
Evidence against
  • `package.json` has only `prepublishOnly`; it has no `preinstall`, `install`, or `postinstall` hook.
  • The self-update poller is activated only after an explicit HTTP-mode server launch (`MCP_HTTP_PORT`).
  • The installer is an explicit `pwsh Install-Sensorium.ps1` user action, not npm install-time execution.
  • No inspected source established secret exfiltration to an unrelated hard-coded endpoint.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 111 file(s), 976 KB of source, external domains: 127.0.0.1, api.openai.com, api.telegram.org, registry.npmjs.org, www.w3.org

Source & flagged code

2 flagged · loading source
Install-Sensorium.ps1View file
path = Install-Sensorium.ps1 kind = build_helper sizeBytes = 12824 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

Install-Sensorium.ps1View on unpkg
dist/services/claude-spawn.service.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sensorium-mcp@3.0.92 matchedIdentity = npm:c2Vuc29yaXVtLW1jcA:3.0.92 similarity = 0.796 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/services/claude-spawn.service.jsView on unpkg

Findings

1 High4 Medium5 Low
HighPrevious Version Dangerous Deltadist/services/claude-spawn.service.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperInstall-Sensorium.ps1
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings