AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. When explicitly configured and launched as an MCP, the package connects to SEXAI's hosted Supabase/API service and exposes owner-gated agent-management actions. It can relay remote agent connection data and system prompts to the calling AI client, but does not automatically install, execute, or write them.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit user installation/configuration and MCP tool invocation
Impact
A configured AI client can be induced to use remote agent metadata or invoke owner-gated network actions; no install-time compromise is established.
Mechanism
First-party MCP extension with hosted agent-management and credential-backed signing actions
Rationale
No concrete malware chain, stealth persistence, credential harvesting, or unconsented lifecycle mutation is present. Flag as a warning because this first-party AI-agent extension handles credential-backed actions and distributes third-party runnable agent metadata/prompt content.
Evidence
package.jsonsrc/index.mjsserver.json.claude-plugin/plugin.jsonREADME.mdllms.txt.claude-plugin/marketplace.json
Network endpoints4
exdvtnqvbjkpknvwonid.supabase.co/rest/v1/exdvtnqvbjkpknvwonid.supabase.co/functions/v1/sexai-apiexdvtnqvbjkpknvwonid.supabase.co/functions/v1/mcp-introspectexdvtnqvbjkpknvwonid.supabase.co/functions/v1/repo-introspect
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/index.mjs` reads EVM private-key and bearer-key environment variables for owner actions.
- `src/index.mjs` sends owner keys or wallet signatures to the hosted SEXAI API.
- `src/index.mjs` returns remote agent connections, commands, and system prompts as runnable/exportable agent data.
- `.claude-plugin/plugin.json` registers an `npx -y sexai-mcp` MCP server for Claude.
- `README.md` and `llms.txt` instruct users to add this MCP to multiple AI-agent clients.
Evidence against
- `package.json` contains no preinstall, install, or postinstall lifecycle hook.
- `src/index.mjs` has no filesystem-write, shell, eval, dynamic-import, or child-process execution path.
- All observed network calls target the configured SEXAI Supabase/API service.
- Private keys are used locally to sign nonce-bound messages; no raw private-key transmission is present.
- `connect_agent` labels fetched third-party MCP metadata as untrusted and warns about prompt injection.
- `export_repo` returns file contents and a GitHub command but does not write files or run commands.
Behavioral surface
CryptoEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/index.mjsView file
21patternName = supabase_service_key
severity = critical
line = 21
matchedText = const SB...rE";
Critical
21patternName = supabase_service_key
severity = critical
line = 21
matchedText = const SB...rE";
Critical
Findings
2 Critical2 Medium4 Low
CriticalCritical Secretsrc/index.mjs
CriticalSecret Patternsrc/index.mjs
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings