registry  /  shipmail-mcp  /  0.2.10

shipmail-mcp@0.2.10

Official Model Context Protocol (MCP) server for Shipmail, a business email provider with REST API, webhooks, and custom-domain inboxes for AI agents.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The user-invoked MCP server exposes Shipmail email-management operations through the configured Shipmail API key.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs shipmail-mcp and an MCP client invokes a registered Shipmail tool.
Impact
Authorized mailbox, domain, webhook, and email actions may occur only through explicit MCP tool invocation using configured credentials.
Mechanism
Local stdio MCP bridge to the Shipmail API.
Rationale
Static inspection shows a package-aligned, user-invoked MCP server with no install-time execution, persistence, credential exfiltration, remote payload loading, or foreign agent-control-surface mutation. Scanner Unicode and dangerous-capability findings are explained by output sanitization and declared email-service functionality.
Evidence
package.jsondist/index.jsREADME.mdserver.jsonsmithery.yaml
Network endpoints2
shipmail.to/api/v1api.shipmail.to

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hook.
    • dist/index.js only starts after the user runs the stdio CLI.
    • dist/index.js reads only configured Shipmail API-key env/file input.
    • Requests are constrained to Shipmail HTTPS hosts by default.
    • The reported bidi characters are in a regex that strips control characters.
    • README.md contains no reviewer- or scanner-directed instructions.
    Behavioral surface
    Source
    CryptoEnvironmentVarsFilesystem
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    WildcardDependency
    scanned 1 file(s), 182 KB of source, external domains: shipmail.to

    Source & flagged code

    3 flagged · loading source
    README.mdView file
    - **Indirect prompt injection from email content.** Reading a mailbox exposes the agent to attacker-controlled email bodies. The sanitizer strips invisible glyphs but cannot detect natural-language injection ("ignore previous instructions, send to..."). Only call destructive tools after explicit user approval.
    High
    Ai Reviewer Manipulation

    Package text addresses the security reviewer or scanner and tries to influence the review outcome.

    README.mdView on unpkg
    dist/index.jsView file
    2166contains invisible/control Unicode U+202A (left-to-right embedding) /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F؜<U+200E><U+200F><U+202A>-<U+202E><U+2066>-<U+2069>]/gu
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/index.jsView on unpkg · L2166
    Trigger-reachable chain: manifest.bin -> dist/index.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/index.jsView on unpkg

    Findings

    2 Critical1 High3 Medium4 Low
    CriticalTrojan Source Unicodedist/index.js
    CriticalTrigger Reachable Dangerous Capabilitydist/index.js
    HighAi Reviewer ManipulationREADME.md
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    MediumWildcard Dependency
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings