registry  /  tunnel-mcp  /  0.1.6

tunnel-mcp@0.1.6

Let two developers' Claude agents talk directly through an ephemeral, end-to-end-encrypted tunnel.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates a Claude agent skill directory during npm install. Even though the bundled skill is safety-oriented, it is an unconsented lifecycle write to an AI-agent control surface.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install with lifecycle scripts enabled
Impact
Installs or changes local AI-agent behavior instructions without an explicit user command.
Mechanism
postinstall copies bundled Claude skill into ~/.claude/skills
Policy narrative
On install, npm runs postinstall.mjs, which imports dist/skillInstall.js and calls installSkillBestEffort. That function resolves the target to ~/.claude/skills unless overridden and copies the bundled tunnel-etiquette skill there if absent. This changes Claude Code skill behavior at lifecycle time rather than after an explicit install-skill command.
Rationale
Source inspection confirms unconsented postinstall mutation of ~/.claude/skills, an AI-agent control surface, which meets the firewall blocking boundary despite benign-looking skill content. Other risky primitives, such as cloudflared download/spawn and WebSocket traffic, appear user-invoked and package-aligned. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpostinstall.mjsdist/skillInstall.jsskill/tunnel-etiquette/SKILL.md~/.claude/skills/tunnel-etiquette/SKILL.md

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node postinstall.mjs.
  • postinstall.mjs imports dist/skillInstall.js and calls installSkillBestEffort during npm install.
  • dist/skillInstall.js copies bundled skill/tunnel-etiquette into os.homedir()/.claude/skills by default.
  • skill/tunnel-etiquette/SKILL.md is an AI-agent behavior instruction surface for Claude tunnel sessions.
Evidence against
  • postinstall is best-effort, skips CI and TUNNEL_SKIP_SKILL_INSTALL, and does not overwrite an existing skill unless explicitly forced via CLI.
  • Bundled skill text is safety-oriented and tells agents to treat peer messages as untrusted input.
  • No credential harvesting, destructive behavior, or install-time network exfiltration found.
  • Runtime network/cloudflared behavior is package-aligned and user-invoked through MCP tunnel tools.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 59.6 KB of source, external domains: 1.0.0.1, 1.1.1.1, 8.8.8.8, developers.cloudflare.com, github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cloudflared/provision.jsView file
matchType = previous_version_dangerous_delta matchedPackage = tunnel-mcp@0.1.5 matchedIdentity = npm:dHVubmVsLW1jcA:0.1.5 similarity = 0.944 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cloudflared/provision.jsView on unpkg

Findings

1 Critical1 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/cloudflared/provision.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings