registry  /  tunnel-mcp  /  0.1.9

tunnel-mcp@0.1.9

Let two developers' Claude agents talk directly through an ephemeral, end-to-end-encrypted tunnel.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package has an install-time lifecycle hook that writes package-supplied agent instructions into the user's Claude skills directory. This is an unconsented mutation of a broad foreign AI-agent control surface.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
Persistently changes Claude agent behavior for future sessions without explicit user invocation
Mechanism
copies bundled Claude skill into ~/.claude/skills
Policy narrative
On npm install, postinstall.mjs loads dist/skillInstall.js and calls installSkillBestEffort. That function resolves the default skills directory to ~/.claude/skills and copies the bundled tunnel-etiquette skill into it unless CI or TUNNEL_SKIP_SKILL_INSTALL is set. The planted instructions are safety-oriented and package-aligned, but the delivery is lifecycle-triggered and modifies a foreign Claude agent control surface without an explicit user command.
Rationale
Under the install-control-surface policy, unconsented lifecycle writes into ~/.claude/skills are blockable AI-agent control hijack even when the content appears product-aligned. Other network and child-process behavior appears aligned with the tunnel MCP runtime and is not the basis for the block.
Evidence
package.jsonpostinstall.mjsdist/skillInstall.jsskill/tunnel-etiquette/SKILL.mddist/cloudflared/provision.jsdist/cloudflared/tunnelProcess.js~/.claude/skills/tunnel-etiquette/SKILL.md~/.tunnel/bin/cloudflared
Network endpoints6
github.com/cloudflare/cloudflared/releases/download/2026.6.1developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/1.1.1.1/dns-query1.0.0.1/dns-query8.8.8.8/resolve*.trycloudflare.com

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node postinstall.mjs
  • postinstall.mjs imports dist/skillInstall.js and calls installSkillBestEffort during npm install
  • dist/skillInstall.js defaults target to ~/.claude/skills and cpSync copies bundled skill there
  • skill/tunnel-etiquette/SKILL.md is package-supplied Claude agent instruction content
Evidence against
  • postinstall is best-effort, skips CI or TUNNEL_SKIP_SKILL_INSTALL, and does not overwrite existing skill by default
  • Runtime tunnel/network behavior is package-aligned MCP functionality
  • cloudflared download is user/runtime-triggered, pinned to a version, and SHA-256 checked before execution
  • No credential harvesting, destructive file operations, or unrelated exfiltration found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 62.0 KB of source, external domains: 1.0.0.1, 1.1.1.1, 8.8.8.8, developers.cloudflare.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings