registry  /  tunnel-mcp  /  0.1.5

tunnel-mcp@0.1.5

Let two developers' Claude agents talk directly through an ephemeral, end-to-end-encrypted tunnel.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates a Claude agent skills directory at npm install time. Although the bundled skill appears safety-oriented, it is still an unconsented lifecycle write into an AI-agent control surface.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install with lifecycle scripts enabled
Impact
Installs agent instructions outside the package tree without explicit user action, changing future Claude agent behavior.
Mechanism
postinstall copies bundled AI skill into ~/.claude/skills
Policy narrative
On install, npm runs postinstall.mjs, which imports dist/skillInstall.js and best-effort copies the bundled tunnel-etiquette skill into the user's Claude skills directory unless CI or TUNNEL_SKIP_SKILL_INSTALL is set. The skill content itself is not overtly harmful, but the lifecycle hook modifies an AI-agent instruction/control surface without explicit user invocation.
Rationale
Runtime networking and cloudflared execution are aligned with the package's declared tunnel purpose, and I found no credential theft or destructive behavior. The blocking issue is the install-time, unconsented write to ~/.claude/skills, which changes an AI-agent control surface via a lifecycle hook. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpostinstall.mjsdist/skillInstall.jsskill/tunnel-etiquette/SKILL.mddist/cloudflared/provision.jsdist/config.js~/.claude/skills/tunnel-etiquette/SKILL.md~/.tunnel/bin/cloudflared~/.tunnel/sessions
Network endpoints5
github.com/cloudflare/cloudflared/releases/latest/downloaddevelopers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/1.1.1.1/dns-query1.0.0.1/dns-query8.8.8.8/resolve

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node postinstall.mjs
  • postinstall.mjs imports ./dist/skillInstall.js and calls installSkillBestEffort during npm install
  • dist/skillInstall.js copies bundled skill into ~/.claude/skills/tunnel-etiquette by default
  • dist/skillInstall.js only skips on CI or TUNNEL_SKIP_SKILL_INSTALL; no install-time user consent
  • skill/tunnel-etiquette/SKILL.md is an AI-agent behavior instruction file
Evidence against
  • Skill content warns that tunnel peers are untrusted and asks for human approval before writes or risky commands
  • dist/skillInstall.js does not overwrite an existing skill unless explicit installSkill overwrite is used
  • dist/cloudflared/provision.js downloads cloudflared only from GitHub release URLs for package-aligned tunnel functionality
  • dist/tools.js exposes user-invoked MCP tunnel tools, not import-time exfiltration
  • No credential harvesting or arbitrary env/file exfiltration found in inspected source
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 57.2 KB of source, external domains: 1.0.0.1, 1.1.1.1, 8.8.8.8, developers.cloudflare.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cloudflared/provision.jsView file
4import crypto from 'node:crypto'; L5: import { execSync, execFileSync } from 'node:child_process'; L6: import { pipeline } from 'node:stream/promises'; ... L8: import { BIN_DIR } from '../config.js'; L9: const RELEASE_BASE = 'https://github.[redacted]'; L10: const MANUAL_INSTALL_POINTER = 'https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/'; ... L32: try { L33: const cmd = process.platform === 'win32' ? 'where cloudflared' : 'command -v cloudflared'; L34: const out = execSync(cmd, { stdio: ['ignore', 'pipe', 'ignore'] })
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cloudflared/provision.jsView on unpkg · L4
dist/cloudflared/tunnelProcess.jsView file
matchType = previous_version_dangerous_delta matchedPackage = tunnel-mcp@0.1.3 matchedIdentity = npm:dHVubmVsLW1jcA:0.1.3 similarity = 0.688 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cloudflared/tunnelProcess.jsView on unpkg

Findings

1 Critical2 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/cloudflared/tunnelProcess.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/cloudflared/provision.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings