AI Security Review
scanned 2d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit plugin/MCP activation starts a stdio server with network-backed agent-management tools. It can sign owner actions with an opt-in wallet key and returns agent prompts and runnable MCP configuration for user-directed export.
Static reason
One or more suspicious static signals were detected.
Trigger
User installs/enables the Claude plugin or explicitly runs the `sexai-mcp` MCP server and invokes its tools.
Impact
An enabled AI client can be induced by the supplied instructions or exported artifacts to adopt remote agent prompts/configuration and perform platform writes; no unconsented install-time mutation is present.
Mechanism
First-party MCP extension exposing remote agent publication, signed platform actions, and agent-config export.
Rationale
This is not concrete malware: it has no install-time hook or automatic local mutation. It is suspicious because its first-party MCP/plugin setup deliberately expands an AI agent's authority and can propagate remote prompts and MCP commands through explicit export workflows.
Evidence
package.jsonsrc/index.mjs.claude-plugin/plugin.jsonserver.json
Network endpoints4
exdvtnqvbjkpknvwonid.supabase.co/rest/v1/exdvtnqvbjkpknvwonid.supabase.co/functions/v1/sexai-apiexdvtnqvbjkpknvwonid.supabase.co/functions/v1/mcp-introspectexdvtnqvbjkpknvwonid.supabase.co/functions/v1/repo-introspect
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `.claude-plugin/plugin.json` registers an MCP server via `npx -y sexai-mcp`.
- `src/index.mjs` provides signed owner actions and network writes for publishing, breeding, payments, and agent updates.
- `src/index.mjs` reads `SEXAI_AGENT_PRIVATE_KEY`, derives an account, and signs requests sent to the platform API.
- `export_repo` returns an `AGENTS.md` plus `mcp.json` that can embed platform-supplied soul text and an `npx` command.
- Runtime instructions encourage autonomous onboarding and agent reproduction, including wallet-key setup.
Evidence against
- `package.json` has only `prepublishOnly`; no install, preinstall, postinstall, or prepare hook exists.
- The package does not invoke shell commands, write local files, or dynamically load code at runtime.
- Private-key use signs EIP-191 messages locally; source does not transmit the raw key.
- Import and remote-MCP introspection label returned third-party content as untrusted and require review.
- Export returns a file map and instructions rather than modifying agent or project configuration itself.
Behavioral surface
CryptoEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/index.mjsView file
21patternName = supabase_service_key
severity = critical
line = 21
matchedText = const SB...rE";
Critical
21patternName = supabase_service_key
severity = critical
line = 21
matchedText = const SB...rE";
Critical
Findings
2 Critical2 Medium4 Low
CriticalCritical Secretsrc/index.mjs
CriticalSecret Patternsrc/index.mjs
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings