registry  /  tunnel-mcp  /  0.1.2

tunnel-mcp@0.1.2

Let two developers' Claude agents talk directly through an ephemeral, end-to-end-encrypted tunnel.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package performs install-time modification of a Claude agent skill directory. This is an unconsented AI-agent control-surface write even though the bundled skill content appears safety-oriented.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install with lifecycle scripts enabled
Impact
Alters local Claude agent behavior/instructions without an explicit user command
Mechanism
postinstall copies bundled Claude skill into user skill directory
Policy narrative
On normal npm install, the postinstall script loads dist/skillInstall.js and best-effort copies the bundled tunnel-etiquette skill into the user's Claude skills directory unless CI or TUNNEL_SKIP_SKILL_INSTALL is set. That changes an AI agent instruction surface as an install side effect rather than via explicit CLI invocation.
Rationale
Source inspection confirms install-time AI-agent control-surface mutation through postinstall copying a Claude skill into ~/.claude/skills. Other network, child_process, and file writes are aligned with the tunnel product, but the lifecycle skill installation is enough to block under the firewall policy. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpostinstall.mjsdist/skillInstall.jsskill/tunnel-etiquette/SKILL.mddist/cloudflared/provision.jsdist/cloudflared/tunnelProcess.jsdist/session.js~/.claude/skills/tunnel-etiquette/SKILL.md~/.tunnel/bin/cloudflared~/.tunnel/sessions/*.jsonl
Network endpoints3
github.com/cloudflare/cloudflared/releases/latest/downloaddevelopers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/*.trycloudflare.com

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node postinstall.mjs
  • postinstall.mjs imports dist/skillInstall.js and calls installSkillBestEffort during npm install
  • dist/skillInstall.js copies bundled skill/tunnel-etiquette into ~/.claude/skills by default
  • dist/skillInstall.js only opts out on CI or TUNNEL_SKIP_SKILL_INSTALL, so normal install mutates Claude skill state
  • skill/tunnel-etiquette/SKILL.md contains agent-behavior instructions for tunnel_* tool use
Evidence against
  • No credential harvesting or secret exfiltration found in inspected files
  • cloudflared download/spawn behavior is runtime tunnel functionality, not install-time execution
  • Network endpoints are package-aligned for Cloudflare tunnel operation
  • Session messages are encrypted with tweetnacl secretbox and join links are single-use/expiring
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 50.6 KB of source, external domains: developers.cloudflare.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cloudflared/provision.jsView file
4import crypto from 'node:crypto'; L5: import { execSync, execFileSync } from 'node:child_process'; L6: import { pipeline } from 'node:stream/promises'; ... L8: import { BIN_DIR } from '../config.js'; L9: const RELEASE_BASE = 'https://github.[redacted]'; L10: const MANUAL_INSTALL_POINTER = 'https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/'; ... L32: try { L33: const cmd = process.platform === 'win32' ? 'where cloudflared' : 'command -v cloudflared'; L34: const out = execSync(cmd, { stdio: ['ignore', 'pipe', 'ignore'] })
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cloudflared/provision.jsView on unpkg · L4
dist/cloudflared/tunnelProcess.jsView file
matchType = previous_version_dangerous_delta matchedPackage = tunnel-mcp@0.1.1 matchedIdentity = npm:dHVubmVsLW1jcA:0.1.1 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cloudflared/tunnelProcess.jsView on unpkg

Findings

1 Critical2 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/cloudflared/tunnelProcess.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/cloudflared/provision.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings