registry  /  tauri-plugin-mcp-server  /  0.2.0

tauri-plugin-mcp-server@0.2.0

MCP server that lets AI agents interact with and debug Tauri applications via the tauri-plugin-mcp socket (screenshots, DOM access, input simulation, log querying)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Running the CLI connects it to a configured local Tauri MCP socket and registers powerful MCP tools. An MCP client can invoke arbitrary webview JavaScript, backend IPC, storage operations, screenshots, and app restart/force-kill actions.

Static reason
No blocking static signals were detected.
Trigger
User runs `tauri-mcp-server` with a reachable Tauri socket, then an MCP client invokes a tool.
Impact
A connected agent can control and inspect the configured Tauri application; this is dangerous dual-use functionality, not a confirmed package-originated attack.
Mechanism
Explicit MCP-to-Tauri control bridge over local IPC or configurable TCP.
Rationale
The package is not malicious by static source evidence, but it intentionally grants an AI/MCP client high-impact control over a connected Tauri application. Flag as a warning for dangerous dual-use capability rather than block publication.
Evidence
package.jsonbuild/index.jsbuild/tools/client.jsbuild/tools/execute_js.jsbuild/tools/manage_ipc.jsbuild/tools/manage_storage.jsbuild/tools/restart_app.jsREADME.md
Network endpoints1
127.0.0.1:9999

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `build/tools/execute_js.js` exposes arbitrary JavaScript execution in a target Tauri webview.
  • `build/tools/manage_ipc.js` forwards backend IPC commands through the local socket.
  • `build/tools/manage_storage.js` can read or clear application storage and cookies.
  • `build/tools/restart_app.js` can kill the socket-owning app process after a failed restart.
  • `build/tools/client.js` optionally connects to a TCP host supplied by environment variables.
Evidence against
  • `package.json` has no install, preinstall, or postinstall lifecycle hook; `prepublishOnly` is publish-time only.
  • `build/index.js` starts only as the explicit CLI/MCP server and uses stdio transport.
  • `build/tools/client.js` defaults to a local Unix socket or `127.0.0.1:9999`; no hard-coded external endpoint exists.
  • No source reads unrelated credentials or exfiltrates data over HTTP.
  • No package code writes AI-agent configuration or establishes persistence.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 125 KB of source

Source & flagged code

5 flagged · loading source
build/tools/execute_js.jsView file
Published source reference
Medium
Ai Review Evidence

`build/tools/execute_js.js` exposes arbitrary JavaScript execution in a target Tauri webview.

build/tools/execute_js.jsView on unpkg
build/tools/manage_ipc.jsView file
Published source reference
Medium
Ai Review Evidence

`build/tools/manage_ipc.js` forwards backend IPC commands through the local socket.

build/tools/manage_ipc.jsView on unpkg
build/tools/manage_storage.jsView file
Published source reference
Medium
Ai Review Evidence

`build/tools/manage_storage.js` can read or clear application storage and cookies.

build/tools/manage_storage.jsView on unpkg
build/tools/restart_app.jsView file
Published source reference
Medium
Ai Review Evidence

`build/tools/restart_app.js` can kill the socket-owning app process after a failed restart.

build/tools/restart_app.jsView on unpkg
build/tools/client.jsView file
Published source reference
Medium
Ai Review Evidence

`build/tools/client.js` optionally connects to a TCP host supplied by environment variables.

build/tools/client.jsView on unpkg

Findings

6 Medium4 Low
MediumEnvironment Vars
MediumAi Review Evidencebuild/tools/execute_js.js
MediumAi Review Evidencebuild/tools/manage_ipc.js
MediumAi Review Evidencebuild/tools/manage_storage.js
MediumAi Review Evidencebuild/tools/restart_app.js
MediumAi Review Evidencebuild/tools/client.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings