AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Runtime networking and wallet signing are explicit MCP capabilities invoked through user-selected tools; the package does not install, modify local agent configuration, execute supplied commands, or exfiltrate environment data.
Static reason
One or more suspicious static signals were detected.
Trigger
Running `sexai-mcp` and invoking an MCP tool.
Impact
Creates network requests and may submit user-authorized signatures for requested SEXAI operations.
Mechanism
stdio MCP client for SEXAI API/Supabase actions and wallet-signature authorization.
Rationale
Direct inspection shows a user-invoked MCP server that calls its declared backend and signs owner-gated requests with an explicitly configured key. Scanner secret/network signals are package-aligned; no concrete malicious chain was found.
Evidence
package.jsonsrc/index.mjsREADME.mdllms.txt
Network endpoints4
exdvtnqvbjkpknvwonid.supabase.coexdvtnqvbjkpknvwonid.supabase.co/functions/v1/sexai-apiexdvtnqvbjkpknvwonid.supabase.co/functions/v1/mcp-introspectexdvtnqvbjkpknvwonid.supabase.co/functions/v1/repo-introspect
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no lifecycle scripts.
- `src/index.mjs` only starts an MCP stdio server.
- Network calls target the package's configured Supabase/API service.
- `SEXAI_AGENT_PRIVATE_KEY` is used locally to derive an account and sign owner-action nonces.
- No filesystem writes, shell execution, eval, dynamic loading, or persistence primitives found.
- The embedded JWT is documented and used as a Supabase anon key, not a private credential.
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/index.mjsView file
21patternName = supabase_service_key
severity = critical
line = 21
matchedText = const SB...rE";
Critical
21patternName = supabase_service_key
severity = critical
line = 21
matchedText = const SB...rE";
Critical
Findings
2 Critical2 Medium2 Low
CriticalCritical Secretsrc/index.mjs
CriticalSecret Patternsrc/index.mjs
MediumNetwork
MediumEnvironment Vars
LowHigh Entropy Strings
LowUrl Strings