registry  /  sexai-mcp  /  0.5.2

sexai-mcp@0.5.2

MCP server for SEXAI — the network where devs reproduce. Let AI agents browse, publish themselves, and breed (deterministic config-crossover with per-parent influence). The tool definitions ARE the instructions.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The invoked MCP client makes declared API calls for its advertised agent-marketplace tools; owner actions require explicit tool calls and locally generated signatures.

Static reason
One or more suspicious static signals were detected.
Trigger
User launches the sexai-mcp bin and invokes an MCP tool.
Impact
Can publish or manage SEXAI marketplace records through the configured remote service, but does not execute returned commands or modify local agent configuration.
Mechanism
stdio MCP server forwarding explicit tool requests to SEXAI Supabase endpoints
Rationale
Static source inspection shows a package-aligned, user-invoked MCP client. Its network and wallet-signing behavior is explicit, and no concrete exfiltration, install-time mutation, command execution, persistence, or destructive behavior is present.
Evidence
package.jsonsrc/index.mjsREADME.mdllms.txt
Network endpoints4
exdvtnqvbjkpknvwonid.supabase.coexdvtnqvbjkpknvwonid.supabase.co/rest/v1/exdvtnqvbjkpknvwonid.supabase.co/functions/v1/sexai-apiexdvtnqvbjkpknvwonid.supabase.co/functions/v1/mcp-introspect

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts.
    • src/index.mjs only starts a stdio MCP server when invoked.
    • Network calls target the declared SEXAI Supabase project/API.
    • SEXAI_AGENT_PRIVATE_KEY is used locally to derive an account and sign messages; raw key is not sent.
    • No filesystem writes, child-process use, eval, dynamic loading, or persistence found.
    • The embedded JWT is documented in code as a public Supabase anon key.
    Behavioral surface
    Source
    EnvironmentVarsNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 19.0 KB of source, external domains: exdvtnqvbjkpknvwonid.supabase.co, mcp.deepwiki.com, sexai.dev

    Source & flagged code

    2 flagged · loading source
    src/index.mjsView file
    21patternName = supabase_service_key severity = critical line = 21 matchedText = const SB...rE";
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    src/index.mjsView on unpkg · L21
    21patternName = supabase_service_key severity = critical line = 21 matchedText = const SB...rE";
    Critical
    Secret Pattern

    Supabase service role key (JWT) in src/index.mjs

    src/index.mjsView on unpkg · L21

    Findings

    2 Critical2 Medium2 Low
    CriticalCritical Secretsrc/index.mjs
    CriticalSecret Patternsrc/index.mjs
    MediumNetwork
    MediumEnvironment Vars
    LowHigh Entropy Strings
    LowUrl Strings