easytouch-mcp

The package will execute a local installer script (install.js) automatically at install time. This is a legitimate pattern for packages that need to perform setup, but it also enables a wide range of potentially malicious actions (data exfiltration, installing backdoors, modifying system files, setting up persistent agents, etc.). You should inspect the contents of install.js and any files under bin/ (especially ./bin/et) before installing. If you cannot review those files, treat the package as untrusted on production or sensitive systems.

The batch launcher itself shows no malware, but enables potential command injection through an unquoted version argument. The core risk is mitigated by validating and safely quoting the input, plus ensuring the Node.js script sanitizes the version. Implementing input validation, proper quoting, and cautious invocation will significantly reduce risk. The security posture improves if both the launcher and the Node.js script enforce strict input handling.

Not an immediate, obvious malware sample based on package.json alone, but the postinstall hook executes a local install.js which could perform malicious actions (data exfiltration, adding backdoors, modifying system files, installing additional native binaries). The optional platform packages increase attack surface because they may include native code. You should inspect install.js and each optional dependency's package contents (and any native binaries) before installing in a sensitive environment.

No direct indicators of malware (no network communications, credential harvesting, or obfuscated payloads). The file implements powerful keyboard-injection functionality by invoking external helper binaries with user-provided arguments. Main risks: (1) PATH/command hijacking — an attacker-controlled helper in PATH could be executed; (2) unvalidated/unescaped argument semantics — helper tools may interpret input in unexpected ways; (3) the inherent ability to inject arbitrary keystrokes allows misuse (data exfiltration or remote-control scenarios) if the API is reachable by untrusted actors. Mitigations: validate and whitelist keys/inputs, avoid relying on PATH (use absolute trusted paths), constrain who can call these APIs, and improve escaping/encoding for helper-specific argument formats.

The code functions as a broad test harness orchestrating an external EasyTouch tool via CLI and MCP modes. There is no explicit malware or backdoor detected within this fragment. However, significant security risks arise from trust placed in external binaries, potential supply-chain compromise, and the permissive error handling that may mask malicious behavior or misreport results. Strengthening input validation, explicit error logging, and strict sanitization of external outputs would mitigate risks. Overall, moderate risk due to external dependencies and IPC surfaces, with no definitive malware indicators.