registry  /  tapmarket-connect  /  0.1.4

tapmarket-connect@0.1.4

Give your AI assistant the power to hire paid specialists on TapMarket — with spending limits enforced on-chain.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `tapmarket-connect setup` and later an MCP client invokes `hire_specialist`.
Impact
AI client can spend the created wallet's testnet USDC on configured TapMarket listings and send job inputs to package-aligned services.
Mechanism
Explicit user-command MCP config mutation plus user-invoked paid marketplace tool
Rationale
Static inspection supports a warning for explicit AI-agent capability setup and paid-service MCP tooling, not a publish block. The scanner's credential-exfiltration hint is not confirmed because no wallet keys or broad env material are sent remotely; only a package service token is used for package-aligned requests.
Evidence
package.jsoncli.jsserver.jsinit-lib.jscatalog.jsdashboard.jsowner-tools.jsREADME.md~/.tapmarket/wallet.json~/.tapmarket/hires.jsonl~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%/Claude/claude_desktop_config.json~/.config/Claude/claude_desktop_config.json
Network endpoints8
fund.tappayment.io/fundhermes.tappayment.io/assessscribe.tappayment.io/writescribe.tappayment.io/result/sepolia.base.orgrpc.zerodev.app/api/v3/sepolia.basescan.orgtappayment.io

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli.js setup writes Claude Desktop mcpServers.tapmarket config for explicit user-command agent integration.
  • server.js exposes MCP hire_specialist that can spend wallet funds on TapMarket listings and call remote specialist endpoints.
  • server.js sends TAP_SERVICE_TOKEN as Authorization to package-aligned tappayment.io specialist services when hire_specialist is invoked.
  • init-lib.js creates local owner/session keys and stores wallet JSON under user-controlled path.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Claude config mutation is only under explicit `tapmarket-connect setup`, not install/import time.
  • No source sends wallet ownerKey/sessionApproval or broad environment variables to a remote endpoint.
  • Network endpoints are aligned with stated TapMarket/Base Sepolia functionality.
  • No eval/vm/Function or remote code loading found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 27.5 KB of source, external domains: 127.0.0.1, faucet.circle.com, fund.tappayment.io, hermes.tappayment.io, rpc.zerodev.app, scribe.tappayment.io, sepolia.base.org, sepolia.basescan.org, tappayment.io

Source & flagged code

4 flagged · loading source
server.jsView file
19L20: const WALLET_FILE = process.env.TAPMARKET_WALLET ?? new URL("./wallet.json", import.meta.url).pathname; L21: if (!existsSync(WALLET_FILE)) { ... L24: } L25: const wallet = JSON.parse(readFileSync(WALLET_FILE, "utf8")); L26: ... L35: const usdcAbi = parseAbi(["function approve(address,uint256)", "function balanceOf(address) view returns (uint256)"]); L36: const publicClient = createPublicClient({ chain: baseSepolia, transport: http("https://sepolia.base.org") }); L37: const account = await deserializePermissionAccount( ... L78: if (!spec) return { content: [{ type: "text", text: `Unknown specialist '${args.specialist}'. Use list_specialists.` }], isError: true }; L79: const route = { url: spec.endpoint, body: spec.shape }; L80: const esc = await publicClient.readContract({ address: TAP_MARKET, abi: marketAbi, functionName: "escrows", args: [BigInt(spec.listingId), account.address] });
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

server.jsView on unpkg · L19
19Trigger-reachable chain: manifest.bin -> cli.js -> server.js L19: L20: const WALLET_FILE = process.env.TAPMARKET_WALLET ?? new URL("./wallet.json", import.meta.url).pathname; L21: if (!existsSync(WALLET_FILE)) { ... L24: } L25: const wallet = JSON.parse(readFileSync(WALLET_FILE, "utf8")); L26: ... L35: const usdcAbi = parseAbi(["function approve(address,uint256)", "function balanceOf(address) view returns (uint256)"]); L36: const publicClient = createPublicClient({ chain: baseSepolia, transport: http("https://sepolia.base.org") }); L37: const account = await deserializePermissionAccount( ... L78: if (!spec) return { content: [{ type: "text", text: `Unknown specialist '${args.specialist}'. Use list_specialists.` }], isError: true }; L79: const route = { url: spec.endpoint, body: spec.shape }; L80: const esc = await publicClient.readContract({ address: TAP_MARKET, abi: marketAbi, functionName: "escrows", args: [BigInt(spec.listingId), account.address] });
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

server.jsView on unpkg · L19
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
dashboard.jsView file
matchType = previous_version_dangerous_delta matchedPackage = tapmarket-connect@0.1.1 matchedIdentity = npm:dGFwbWFya2V0LWNvbm5lY3Q:0.1.1 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dashboard.jsView on unpkg

Findings

4 Critical3 Medium4 Low
CriticalCredential Exfiltrationserver.js
CriticalTrigger Reachable Dangerous Capabilityserver.js
CriticalManifest Confusionpackage.json
CriticalPrevious Version Dangerous Deltadashboard.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings