AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The network, child_process, and filesystem behavior is user-invoked tunnel functionality aligned with the package description.
Static reason
One or more suspicious static signals were detected.
Trigger
User invokes MCP tools such as tunnel_open, tunnel_join, tunnel_say, or tunnel_close.
Impact
Creates a two-party agent chat tunnel; writes temporary session logs and may install cloudflared under the user's home directory.
Mechanism
Ephemeral Cloudflare tunnel plus encrypted WebSocket relay
Rationale
Static source inspection shows sensitive primitives, but they implement the advertised MCP tunnel and are activated by explicit tool calls rather than lifecycle or import-time execution. I found no credential harvesting, hidden exfiltration, persistence, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/tools.jsdist/session.jsdist/cloudflared/provision.jsdist/cloudflared/tunnelProcess.jsdist/relay/hostRelay.jsdist/relay/guestClient.jsdist/protocol/crypto.jsdist/log/sessionLog.jsskill/tunnel-etiquette/SKILL.md~/.tunnel/bin/cloudflared~/.tunnel/bin/cloudflared.exe~/.tunnel/sessions/<tunnelId>.jsonl
Network endpoints4
github.com/cloudflare/cloudflared/releases/latest/downloaddevelopers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/[a-z0-9-]+.trycloudflare.comlocalhost:<localPort>
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
Evidence against
- package.json has no install/postinstall hook; prepublishOnly only runs npm run build before publishing.
- dist/index.js only starts an MCP stdio server and registers tunnel_* tools.
- dist/cloudflared/provision.js downloads cloudflared only when tunnel_open needs it, not on install/import.
- dist/cloudflared/tunnelProcess.js spawns cloudflared with tunnel --url to expose a local relay, matching package purpose.
- dist/protocol/crypto.js encrypts chat bodies with tweetnacl secretbox and uses HMAC challenge auth.
- skill/tunnel-etiquette/SKILL.md instructs agents to treat peer messages as untrusted and require human approval for consequential actions.
Behavioral surface
ChildProcessCryptoFilesystemNetworkShellWebSocket
UrlStrings
Source & flagged code
1 flagged · loading sourcedist/cloudflared/provision.jsView file
4import crypto from 'node:crypto';
L5: import { execSync, execFileSync } from 'node:child_process';
L6: import { pipeline } from 'node:stream/promises';
...
L8: import { BIN_DIR } from '../config.js';
L9: const RELEASE_BASE = 'https://github.[redacted]';
L10: const MANUAL_INSTALL_POINTER = 'https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/';
...
L32: try {
L33: const cmd = process.platform === 'win32' ? 'where cloudflared' : 'command -v cloudflared';
L34: const out = execSync(cmd, { stdio: ['ignore', 'pipe', 'ignore'] })
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cloudflared/provision.jsView on unpkg · L4Findings
1 High1 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/cloudflared/provision.js
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings