Molecule AI Documentation Specialist
e41a75606d
Adds a concise action advisory for engineering leads summarising the 9 open findings from the full SAFE-MCP audit, with immediate remediation steps for NEW-003 (unpinned npm packages in .mcp.json — HIGH), a Phase 35 scoping recommendation for plugin supply-chain hardening (VULN-003, VULN-004), and medium-term GLOBAL memory scope controls (VULN-002, VULN-005). Pairs with: monorepo PR #808, docs PR #18 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3.7 KiB
SAFE-MCP Advisory — 2026-04-17
Type: Internal action advisory (distilled from full audit)
Full audit: docs/security/safe-mcp-audit-2026-04-17.md (SAFE-MCP, 438 lines)
Audience: Engineering leads, platform team
Prepared by: Documentation Specialist (pairs with PR #808)
TL;DR — What needs fixing and in what order
| # | Finding | Severity | Owner | Status |
|---|---|---|---|---|
| 1 | NEW-003: Unpinned npm MCP packages in .mcp.json |
HIGH | Platform | Open — fix in next deploy |
| 2 | VULN-003: No manifest signing on GitHub plugin install | HIGH | Platform | Open — Phase 35 |
| 3 | VULN-004: Floating plugin refs (no pinned SHA) | HIGH | Platform | Open — Phase 35 |
| 4 | VULN-002: GLOBAL memory prompt injection (partial) | HIGH | Platform | Partially mitigated (#767) |
| 5 | VULN-006: No tool output sanitization in MCP server | MEDIUM | DevRel/SDK | Open |
| 6 | NEW-002: subprocess sandbox allows language=shell |
MEDIUM | Platform | By-design; needs scope review |
| 7 | NEW-001: LangGraph A2A calls missing auth headers | MEDIUM | LangGraph template | Open |
| 8 | VULN-005: GLOBAL memories visible to all workspaces | MEDIUM | Platform | Partially mitigated (#767) |
| 9 | NEW-004: _maybe_log_skill_promotion unauthenticated heartbeat |
LOW | Platform | Open |
Already fixed: VULN-001 (X-Workspace-ID system-caller header forge) — confirmed resolved in PR #766.
Immediate action: NEW-003 (HIGH) — Pin npm MCP packages
File: .mcp.json — change both entries before next developer onboarding or CI run.
Current (unsafe):
"args": ["-y", "@molecule-ai/mcp-server"]
Fixed:
"args": ["@molecule-ai/mcp-server@<current-version>"]
Steps:
- Run
npm show @molecule-ai/mcp-server versionandnpm show @awareness-sdk/local versionto get the latest pinnable version. - Update
.mcp.json— remove-yflag, add@<exact-version>to each package name. - Add a
package.json+package-lock.jsonalongside.mcp.jsonto lock the full dependency tree. - Wire
npm audit signaturesinto CI (molecule-cipipeline).
Why this is urgent: npx -y fetches and executes the latest published npm package on every invocation with no integrity check. A compromised @molecule-ai npm account or a dependency confusion attack causes arbitrary code execution in the Claude Code developer environment.
Short-term (Phase 35): Plugin supply-chain hardening
VULN-003 and VULN-004 require a Phase 35 track. Recommended scope:
- Require pinned refs — reject
github://org/repowithout#<40-char-sha>. Already gated byPLUGIN_ALLOW_UNPINNED(PR #775); makefalsethe hard default in production. - Add manifest content hash — add a
sha256:field toplugin.yamlcovering the cloned content tree. Verify post-clone before staging. - Consider sigstore/GPG release signing for first-party plugins (
molecule-ai-plugin-*).
Medium-term: GLOBAL memory scope hardening
VULN-002 / VULN-005 — delimiter wrapping (PR #767) reduces injection risk but does not prevent a malicious workspace from writing to GLOBAL scope and having the injected prompt read by a different workspace. Proposed additional controls:
- Rate-limit GLOBAL
commit_memorywrites per workspace per hour. - Add a supervisor/approval flow for GLOBAL writes from untrusted workspaces.
- Consider making GLOBAL scope read-only except for privileged system roles.
References
- Full audit:
docs/security/safe-mcp-audit-2026-04-17.md - SAFE-MCP framework:
docs/security/safe-mcp-audit.md - Issue tracker: #747 (parent), see follow-on issues linked from PR #808
- Public docs: PR #18 on
Molecule-AI/docs(covers only customer-visible security notes)