registry  /  tunnel-mcp  /  0.1.1

tunnel-mcp@0.1.1

Let two developers' Claude agents talk directly through an ephemeral, end-to-end-encrypted tunnel.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The network, child_process, and filesystem behavior is user-invoked tunnel functionality aligned with the package description.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes MCP tools such as tunnel_open, tunnel_join, tunnel_say, or tunnel_close.
Impact
Creates a two-party agent chat tunnel; writes temporary session logs and may install cloudflared under the user's home directory.
Mechanism
Ephemeral Cloudflare tunnel plus encrypted WebSocket relay
Rationale
Static source inspection shows sensitive primitives, but they implement the advertised MCP tunnel and are activated by explicit tool calls rather than lifecycle or import-time execution. I found no credential harvesting, hidden exfiltration, persistence, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/tools.jsdist/session.jsdist/cloudflared/provision.jsdist/cloudflared/tunnelProcess.jsdist/relay/hostRelay.jsdist/relay/guestClient.jsdist/protocol/crypto.jsdist/log/sessionLog.jsskill/tunnel-etiquette/SKILL.md~/.tunnel/bin/cloudflared~/.tunnel/bin/cloudflared.exe~/.tunnel/sessions/<tunnelId>.jsonl
Network endpoints4
github.com/cloudflare/cloudflared/releases/latest/downloaddevelopers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/[a-z0-9-]+.trycloudflare.comlocalhost:<localPort>

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepublishOnly only runs npm run build before publishing.
    • dist/index.js only starts an MCP stdio server and registers tunnel_* tools.
    • dist/cloudflared/provision.js downloads cloudflared only when tunnel_open needs it, not on install/import.
    • dist/cloudflared/tunnelProcess.js spawns cloudflared with tunnel --url to expose a local relay, matching package purpose.
    • dist/protocol/crypto.js encrypts chat bodies with tweetnacl secretbox and uses HMAC challenge auth.
    • skill/tunnel-etiquette/SKILL.md instructs agents to treat peer messages as untrusted and require human approval for consequential actions.
    Behavioral surface
    Source
    ChildProcessCryptoFilesystemNetworkShellWebSocket
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 12 file(s), 37.8 KB of source, external domains: developers.cloudflare.com, github.com

    Source & flagged code

    1 flagged · loading source
    dist/cloudflared/provision.jsView file
    4import crypto from 'node:crypto'; L5: import { execSync, execFileSync } from 'node:child_process'; L6: import { pipeline } from 'node:stream/promises'; ... L8: import { BIN_DIR } from '../config.js'; L9: const RELEASE_BASE = 'https://github.[redacted]'; L10: const MANUAL_INSTALL_POINTER = 'https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/'; ... L32: try { L33: const cmd = process.platform === 'win32' ? 'where cloudflared' : 'command -v cloudflared'; L34: const out = execSync(cmd, { stdio: ['ignore', 'pipe', 'ignore'] })
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/cloudflared/provision.jsView on unpkg · L4

    Findings

    1 High1 Medium4 Low
    HighSandbox Evasion Gated Capabilitydist/cloudflared/provision.js
    MediumNetwork
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowUrl Strings