registry  /  typegraph-mcp  /  0.9.46

typegraph-mcp@0.9.46

Type-aware codebase navigation for AI coding agents — 14 MCP tools powered by tsserver + oxc

AI Security Review

scanned 9h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The package has explicit setup commands that install a first-party MCP plugin and mutate AI-agent config/instruction files, which is a guarded agent extension lifecycle risk rather than install-time hijacking.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs typegraph-mcp setup, remove, check, test, bench, or start
Impact
Can register typegraph MCP servers, append agent instructions, copy skills/hooks, install plugin dependencies, and remove package-owned setup on uninstall.
Mechanism
explicit first-party MCP agent setup and local TypeScript navigation
Rationale
Source inspection shows explicit user-command agent extension setup with local MCP functionality and no install-time execution or exfiltration. This should be warned as lifecycle/control-surface risk, not blocked as malware.
Evidence
package.jsoncli.tsserver.tstsserver-client.tshooks/hooks.jsonscripts/ensure-deps.shcheck.tsREADME.mdplugins/typegraph-mcp/./.cursor/mcp.json./.codex/config.toml./.vscode/mcp.json~/.gemini/antigravity/mcp_config.json~/.gemini/antigravity-cli/plugins/typegraph-mcp/mcp_config.json./.agents/skills/CLAUDE.mdAGENTS.mdGEMINI.md./.github/copilot-instructions.mdtsconfig.jsoneslint.config.*.oxlintrc.jsonoxlint.config.*
Network endpoints4
github.com/guyowen/typegraph-mcp.gitmodelcontextprotocol.io/github.com/nicolo-ribaudo/oxc-parsergithub.com/nicolo-ribaudo/oxc-resolver

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli.ts setup writes agent MCP configs for Cursor/Codex/Copilot/Antigravity and appends instructions to agent files.
  • cli.ts setup copies plugin files into plugins/typegraph-mcp and runs npm install --include=optional in that directory.
  • hooks/hooks.json defines a Claude SessionStart command invoking scripts/ensure-deps.sh, which can run npm install in the plugin dir.
  • cli.ts remove can delete package-owned plugin dirs and selected typegraph skill dirs, plus guarded stale Codex config cleanup.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Agent config mutation is behind explicit typegraph-mcp setup/remove commands, not npm install/import time.
  • MCP server behavior in server.ts is local TypeScript navigation over stdio; no fetch/http exfiltration code found.
  • Child process use is package-aligned: tsserver spawning and setup dependency install.
  • Network endpoints are limited to repository/docs URLs and npm install behavior, not hardcoded exfiltration endpoints.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 587 KB of source, external domains: json.schemastore.org

Source & flagged code

5 flagged · loading source
tsserver-client.tsView file
10L11: import { spawn, type ChildProcess } from "node:child_process"; L12: import * as path from "node:path";
High
Child Process

Package source references child process execution.

tsserver-client.tsView on unpkg · L10
dist/check.jsView file
123} L124: function resolveProjectImport(resolver, fromDir, specifier, projectRoot) { L125: try {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/check.jsView on unpkg · L123
cli.tsView file
matchType = previous_version_dangerous_delta matchedPackage = typegraph-mcp@0.9.45 matchedIdentity = npm:dHlwZWdyYXBoLW1jcA:0.9.45 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli.tsView on unpkg
1067try { L1068: execSync("npm install --include=optional", { cwd: targetDir, stdio: "pipe" }); L1069: s.stop(`${isUpdate ? "Updated" : "Installed"} ${copied} files with dependencies`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

cli.tsView on unpkg · L1067
scripts/ensure-deps.shView file
path = scripts/ensure-deps.sh kind = build_helper sizeBytes = 1033 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/ensure-deps.shView on unpkg

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltacli.ts
HighChild Processtsserver-client.ts
HighShell
HighRuntime Package Installcli.ts
MediumDynamic Requiredist/check.js
MediumEnvironment Vars
MediumShips Build Helperscripts/ensure-deps.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings