AI Security Review
scanned 3d ago · by lpm-firewall-aiThe runtime LLM endpoint can start arbitrary configured MCP executables and invoke their exposed tools. This is a dangerous server-side capability, but it is not triggered during installation.
Static reason
One or more suspicious static signals were detected.
Trigger
An authenticated team user saves an MCP command, then calls `/api/llm/generate`.
Impact
A configured MCP executable can access server environment values and workspace files, perform arbitrary process actions, or exfiltrate data.
Mechanism
User-configured MCP subprocess execution with inherited environment and workspace root exposure.
Rationale
The package contains a real, high-impact arbitrary MCP command execution path, but it is a runtime feature initiated through authenticated settings rather than concrete malicious install behavior. Treat it as a dangerous capability requiring a warning, not a publish block.
Evidence
server/api/llm/generate.post.tsserver/api/settings/llm.put.tsserver/middleware/auth.tspackage.jsontest-register.js
Network endpoints6
api.openai.com/v1openrouter.ai/api/v1api.deepseek.comapi.mistral.ai/v1api.groq.com/openai/v1api.cohere.com/v1
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `server/api/llm/generate.post.ts` launches each saved MCP command through `StdioClientTransport`.
- The launched MCP process inherits `process.env` and is given the package working directory as an MCP root.
- Authenticated users can persist arbitrary `mcpServers` strings via `server/api/settings/llm.put.ts`.
- LLM tool calls are forwarded to every discovered MCP tool without a package-side allowlist.
Evidence against
- `package.json` postinstall only runs `nuxt prepare && prisma generate`; no foreign agent configuration mutation is shown.
- No install-time network call, credential harvesting, payload download, or destructive command was found.
- `test-register.js` only targets localhost with test credentials.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
NoLicenseWildcardDependency
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare && prisma generate
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare && prisma generate
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgtest-register.jsView file
4patternName = generic_password
severity = medium
line = 4
matchedText = body: JS...' })
Medium
Findings
1 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patterntest-register.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License