agentmesh_mcp_server

v3.7.0 suspicious
4.0
Medium Risk

MCP Server for Claude Desktop - Agent OS kernel primitives including code safety verification, CMVK multi-model review, and IATP trust

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows a moderate risk due to the presence of eval(), which can be exploited for arbitrary code execution. However, it does not pose immediate danger as there are no indications of network or shell risks, and no credentials are at risk.

  • High obfuscation risk due to eval()
  • No network or shell execution detected
  • No credential risk
Per-check LLM notes
  • Network: No network calls detected, which is normal if the package does not require external communication.
  • Shell: No shell execution detected, which is expected unless the package's functionality requires command-line operations.
  • Obfuscation: The use of eval() indicates potential for executing arbitrary code, which is risky unless properly sanitized and used with strict validation.
  • Credentials: No clear patterns of credential harvesting detected.

📦 Package Quality Overall: Medium (5.4/10)

○ Low Test Suite 1.0

No test suite detected

  • No test files or test-runner configuration detected
◈ Medium Documentation 7.0

Some documentation present

  • Documentation URL: "Documentation" -> https://github.com/microsoft/agent-governance-toolkit/tree/m
  • Detailed PyPI description (6396 chars)
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 43 type-annotated function signatures detected in source
✦ High Multiple Contributors 10.0

Active multi-contributor project

  • 14 unique contributor(s) across 100 commits in microsoft/agent-governance-toolkit
  • Active community — 5 or more distinct contributors

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation score 4.0

Found 2 obfuscation pattern(s)

  • ge": "Dynamic code execution: eval() detected", "alternative": "Use JSON.parse() fo
  • "issue": "eval() usage is dangerous", "fix": "Use JSON.
Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: microsoft.com>

Suspicious Page Links

All external links appear legitimate

Git Repository History

Repository microsoft/agent-governance-toolkit appears legitimate

Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agentmesh_mcp_server 
Create a desktop application called 'AgentGuard' that leverages the capabilities of the 'agentmesh_mcp_server' package to ensure the security and integrity of user interactions within a controlled environment. This application will serve as a sandboxed interface for executing untrusted code snippets while providing real-time feedback on potential risks and ensuring compliance with predefined safety policies.

Step-by-Step Guide:
1. Initialize your Python project with the necessary dependencies, including 'agentmesh_mcp_server'.
2. Design a simple UI using a library like Tkinter or PyQt for users to input their code snippets.
3. Implement a backend service that uses 'agentmesh_mcp_server' to perform code safety verification before execution.
4. Integrate CMVK multi-model review to analyze the code snippet from multiple perspectives (e.g., syntax correctness, potential security vulnerabilities).
5. Utilize IATP trust mechanisms to establish a baseline of trustworthiness for the code snippet based on its origin and content.
6. Provide real-time feedback to the user regarding the status of their code snippet's verification process and any identified issues.
7. Execute the verified code snippet within a secure, isolated environment and monitor its behavior.
8. Log all activities related to the code snippet's lifecycle, including submission, verification results, and execution outcomes.

Suggested Features:
- User-friendly interface for submitting code snippets.
- Detailed report generation summarizing the verification process and findings.
- Integration with external threat intelligence feeds to enhance the detection of malicious patterns.
- Support for multiple programming languages through dynamic language detection and appropriate verification models.
- Customizable safety policies allowing administrators to define acceptable risk levels and behaviors.