AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The user-invoked MCP server exposes Shipmail email-management operations through the configured Shipmail API key.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall lifecycle hook.
- dist/index.js only starts after the user runs the stdio CLI.
- dist/index.js reads only configured Shipmail API-key env/file input.
- Requests are constrained to Shipmail HTTPS hosts by default.
- The reported bidi characters are in a regex that strips control characters.
- README.md contains no reviewer- or scanner-directed instructions.
Source & flagged code
3 flagged · loading sourcePackage text addresses the security reviewer or scanner and tries to influence the review outcome.
README.mdView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/index.jsView on unpkg · L2166A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg