registry  /  userelay  /  0.3.0

userelay@0.3.0

One MCP server. 40 tools. One command: npx relaymcp

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package is a JS launcher/installer for an external Relay binary. Risk is unresolved because npm postinstall fetches and installs an executable from GitHub releases, but the inspected JS does not show malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, or relay CLI execution
Impact
Installs an opaque executable into the user's cache and later runs it when the relay bin is invoked.
Mechanism
install-time remote binary download and CLI spawn
Rationale
This is not confirmed malicious from source inspection, but install-time acquisition of an opaque native executable is a real unresolved supply-chain risk. The behavior appears package-aligned and checksum-guarded, so warn rather than block.
Evidence
package.jsonbin/install.jsbin/lib.jsbin/run.js~/Library/Caches/relay/bin/relay~/.cache/relay/bin/relay%LOCALAPPDATA%/Relay/bin/relay.exe<cache>/version.txt<cache>/bin/relay_{version}_{os}_{arch}.{tar.gz|zip}
Network endpoints4
github.com/valtors/relay/releases/download/v{version}/checksums.txtgithub.com/valtors/relay/releases/download/v{version}/relay_{version}_{os}_{arch}.{tar.gz|zip}api.github.com/repos/valtors/relay/releases/latestgithub.com/valtors/relay/releases/tag/v{version}

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node ./bin/install.js.
  • bin/install.js downloads GitHub release archive and checksums.txt during install.
  • bin/install.js extracts relay/relay.exe into user cache and chmods it executable.
  • bin/run.js spawns the cached or fallback binary with user CLI args.
  • Only JS launcher source is present; downloaded native binary contents are not inspectable in package.
Evidence against
  • Network endpoints are package-aligned to valtors/relay GitHub releases/API.
  • Checksum verification is implemented before replacing cached binary.
  • No credential harvesting, broad file scanning, agent config mutation, or exfiltration code found in JS source.
  • No eval/vm/Function or dynamic require/import found.
  • Writes are limited to Relay cache/version/archive paths derived from OS cache dirs.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 13.2 KB of source, external domains: api.github.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings