registry  /  tunnel-mcp  /  0.1.8

tunnel-mcp@0.1.8

Let two developers' Claude agents talk directly through an ephemeral, end-to-end-encrypted tunnel.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code writes a package-supplied Claude skill into the user's home Claude skills directory. This is an unconsented mutation of a foreign AI-agent control surface, regardless of the benign-looking skill text.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install with lifecycle scripts enabled
Impact
Claude agent behavior can be altered by package-supplied instructions installed outside the project during dependency installation.
Mechanism
postinstall copies bundled agent skill into ~/.claude/skills/tunnel-etiquette
Policy narrative
During npm install, postinstall.mjs loads dist/skillInstall.js, which resolves the default target to ~/.claude/skills and copies the bundled tunnel-etiquette skill there unless CI or TUNNEL_SKIP_SKILL_INSTALL is set. That plants package-supplied instructions into Claude's home agent skill surface without explicit user invocation. Runtime tunneling behavior appears aligned with the package purpose, but the lifecycle delivery into a foreign agent control surface is the blockable behavior.
Rationale
Static source inspection confirms unconsented lifecycle mutation of ~/.claude/skills, a broad/foreign AI-agent control surface covered by the block policy. The planted content appears safety-oriented, but policy treats the lifecycle delivery mechanism itself as malicious for this category.
Evidence
package.jsonpostinstall.mjsdist/skillInstall.jsskill/tunnel-etiquette/SKILL.mddist/cloudflared/provision.jsdist/config.js~/.claude/skills/tunnel-etiquette/SKILL.md~/.tunnel/bin/cloudflared~/.tunnel/sessions
Network endpoints6
github.com/cloudflare/cloudflared/releases/download/2026.6.1developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/1.1.1.1/dns-query1.0.0.1/dns-query8.8.8.8/resolve*.trycloudflare.com

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node postinstall.mjs
  • postinstall.mjs imports dist/skillInstall.js during npm install
  • dist/skillInstall.js defaultSkillsDir() targets ~/.claude/skills and cpSync copies skill/tunnel-etiquette there
  • installSkillBestEffort() runs unless CI or TUNNEL_SKIP_SKILL_INSTALL is set; no local/global install guard or explicit consent
  • skill/tunnel-etiquette/SKILL.md plants behavioral instructions for Claude agents
  • dist/cloudflared/provision.js can download and execute pinned cloudflared for runtime tunneling
Evidence against
  • Skill content is package-aligned safety guidance, not credential theft instructions
  • postinstall is best-effort and does not overwrite an existing skill unless CLI force path is used
  • Runtime MCP tunnel tools are user-invoked, with local HTTP listener bound to 127.0.0.1
  • No credential harvesting, destructive filesystem actions, or remote JS payload execution found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 60.9 KB of source, external domains: 1.0.0.1, 1.1.1.1, 8.8.8.8, developers.cloudflare.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings