algony-mymcp

v2.3.0 suspicious
5.0
Medium Risk

Linux system control MCP server over Streamable HTTP with Bearer token auth

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits a moderate risk due to potential shell execution risks, despite having low scores in other categories. The metadata also raises concerns with non-HTTPS links and limited author activity.

  • High shell risk
  • Concerning metadata
Per-check LLM notes
  • Network: No network calls were detected, which is low risk.
  • Shell: The presence of shell execution patterns suggests potential for privilege escalation or system modification activities.
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: The package has some red flags such as non-HTTPS links and an author with limited activity, but no clear signs of typosquatting or other malicious intent.

📦 Package Quality Overall: Medium (5.8/10)

✦ High Test Suite 9.0

Test suite present — 19 test file(s) found

  • Test runner config found: pyproject.toml
  • 19 test file(s) detected (e.g. test_admin.py)
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (27849 chars)
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 146 type-annotated function signatures detected in source
◈ Medium Multiple Contributors 6.0

Limited contributor diversity

  • 2 unique contributor(s) across 100 commits in algony-tony/mymcp
  • Two distinct contributors found

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • .CompletedProcess: return subprocess.run(["systemctl", *args], check=check, capture_output=True, text
  • y exists.""" try: subprocess.run(["id", "-u", username], check=True, capture_output=True)
  • rocessError: pass subprocess.run( ["useradd", "-r", "-s", "/usr/sbin/nologin", userna
  • try: subprocess.run(cmd, check=True, capture_output=True) if shu
  • ash import _is_alive p = subprocess.Popen(["sleep", "0.2"]) try: assert _is_alive(p) is Tr
  • n_inflight_processes p = subprocess.Popen( ["sleep", "30"], start_new_session=True,
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: gmail.com>

Suspicious Page Links score 10.0

Found 6 suspicious link(s) on the package page

  • Non-HTTPS external link: http://your-server:8765/health
  • Non-HTTPS external link: http://your-server:8765/version
  • Non-HTTPS external link: http://your-server:8765/metrics
  • Non-HTTPS external link: http://your-server:8765/admin/tokens
  • Non-HTTPS external link: http://your-server:8765/admin/tokens/tok_abc123
  • Non-HTTPS external link: http://your-server:8765/mcp
Git Repository History

Repository algony-tony/mymcp appears legitimate

Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with algony-mymcp 
Create a Python-based mini-application named 'StreamControl' that allows users to manage their Linux systems remotely using the 'algony-mymcp' package. This application should serve as a proof-of-concept for controlling system processes, services, and basic configurations via a Streamable HTTP interface secured with Bearer token authentication.

### Project Overview:
- **Application Name:** StreamControl
- **Purpose:** Provide a secure and efficient way to control Linux system operations from a remote location.
- **Technologies Used:** Python, algony-mymcp, Streamable HTTP, Bearer Token Authentication.

### Features:
1. **User Authentication:** Implement a simple login system where users must provide a valid Bearer token to access system controls.
2. **Process Management:** Ability to start, stop, and restart processes on the Linux system.
3. **Service Control:** Enable users to enable, disable, and check the status of system services.
4. **System Information:** Display general system information such as uptime, memory usage, and disk space.
5. **Secure Communication:** All interactions between the client and the server should be over HTTPS and authenticated with Bearer tokens.

### Implementation Steps:
1. **Setup Environment:** Ensure Python and the 'algony-mymcp' package are installed on both the client and server machines.
2. **Server Configuration:** Configure the server to accept connections and authenticate users based on provided Bearer tokens.
3. **Client Development:** Develop the client-side application in Python, utilizing the 'algony-mymcp' package to communicate with the server.
4. **Feature Integration:** Integrate each feature (process management, service control, system info) into the application, ensuring they work seamlessly with the server.
5. **Testing:** Thoroughly test each feature to ensure security and functionality.
6. **Documentation:** Write comprehensive documentation detailing setup instructions, API endpoints, and usage examples.

### Additional Considerations:
- Ensure all data transmitted between the client and server is encrypted.
- Provide clear error messages and feedback to the user when actions fail.
- Include a mechanism to revoke or update Bearer tokens for enhanced security.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!