AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a stdio MCP client that performs explicit tool-request network calls to its configured backend.
Static reason
One or more suspicious static signals were detected.
Trigger
User starts the MCP server and invokes a listed MCP tool.
Impact
Can publish/query agent records, request remote MCP introspection, and perform owner-gated backend actions when the user deliberately supplies its wallet key.
Mechanism
User-invoked REST/edge-function calls and local EIP-191 signing.
Rationale
Source inspection shows a single MCP stdio entrypoint with no install hooks or local execution/persistence primitives. Static secret and network signals map to a public Supabase anon key and explicit package-aligned, user-invoked backend operations; no concrete exfiltration or malicious chain is present.
Evidence
package.jsonsrc/index.mjsREADME.mdllms.txt
Network endpoints3
exdvtnqvbjkpknvwonid.supabase.co/rest/v1/exdvtnqvbjkpknvwonid.supabase.co/functions/v1/sexai-apiexdvtnqvbjkpknvwonid.supabase.co/functions/v1/mcp-introspect
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- `src/index.mjs` sends user-invoked MCP actions to a configured SEXAI/Supabase API.
- `connect_agent` submits a user-supplied MCP URL to the package's hosted introspection endpoint.
- Owner actions use `SEXAI_AGENT_PRIVATE_KEY` to derive a local wallet account and sign a nonce.
Evidence against
- `package.json` contains no preinstall, install, postinstall, or other lifecycle scripts.
- Only five package files exist; `src/index.mjs` is the sole executable entrypoint.
- No filesystem writes, child-process use, shell execution, eval, dynamic code loading, or persistence logic appears in source.
- The wallet private key is not sent in requests; only derived address, nonce, and signature are returned.
- The embedded JWT is documented and used as a Supabase public anon key, not a private credential.
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/index.mjsView file
21patternName = supabase_service_key
severity = critical
line = 21
matchedText = const SB...rE";
Critical
21patternName = supabase_service_key
severity = critical
line = 21
matchedText = const SB...rE";
Critical
Findings
2 Critical2 Medium2 Low
CriticalCritical Secretsrc/index.mjs
CriticalSecret Patternsrc/index.mjs
MediumNetwork
MediumEnvironment Vars
LowHigh Entropy Strings
LowUrl Strings