// npm 패키지
local-mcp
LMCP — connect Claude Desktop, Cursor, Windsurf to Mail, Calendar, Contacts, Teams, OneDrive on macOS. Privacy-first: all data stays on your Mac.
버전
346
메인테이너
1
라이선스
SEE LICENSE IN LICENSE
최초 publish
2026-03-26
publisher
lanchuske
tarball
98,235 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-05-25
// exfil path
what is read → where it shipssteals
- ● macOS Keychain
- ● MCP config
- ○ home dir
- ○ system info
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> const { execFileSync, execSync } = require('child_process')
> const BACKEND_URL = 'https://office-mcp-production.up.railway.app'
> ? path.join(process.env.LOCALAPPDATA || path.join(os.homedir(), 'AppData', 'Local'), 'local-mcp', 'bin')
> : path.join(os.homedir(), '.local', 'share', 'local-mcp', 'bin')
> ? path.join(process.env.LOCALAPPDATA || path.join(os.homedir(), 'AppData', 'Local'), 'local-mcp', 'tray')// offending code· @3.0.221· 3 files flagged
llm: benign · 0.85→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 other host(s).
- @3.0.221··AUTO-PUBLISHED·publisher: lanchuskeheuristic 75/100static flags 7llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:6dmature-packagehas-source-repoosv-flagged:MAL-2026-4601reads-keychainreads-env-varsreads-homedirreads-system-infochild-process-spawnpublic-github-pushreads-mcp-config
→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 other host(s).
// offending code· 3 files flaggedpatterns: 7
--- install scripts --- ### postinstall node postinstall.js --- package/download.js (excerpt) --- 'use strict' /** * download.js — descarga y cachea el binario standalone de LMCP desde R2. * El binario fue compilado con PyInstaller — no requiere Python instalado. * Cache: ~/.local/share/local-mcp/bin/{version}/ */ const https = require('https') const http = require('http') const fs = require('fs') const path = require('path') const os = require('os') const { execFileSync, execSync } = require('child_process') // On Windows, Git-Bash's tar interprets "C:\..." paths as "host:path" (SSH syntax). // Use the native Windows tar.exe from System32 instead, which handles Win32 paths correctly. function extractTar(tarPath, destDir) { const tarBin = process.platform === 'win32' ? path.join(process.env.SystemRoot || 'C:\\Windows', 'System32', 'tar.exe') : 'tar' execFileSync(tarBin, ['-xzf', tarPath, '-C', destDir], { stdio: 'pipe' }) } const BACKEND_URL = 'https://office-mcp-production.up.railway.app' // Platform-aware cache directory: // macOS: ~/.local/share/local-mcp/bin // Windows: %LOCALAPPDATA%/local-mcp/bin // Linux: ~/.local/share/local-mcp/bin const CACHE_DIR = process.platform === 'win32' ? path.join(process.env.LOCALAPPDATA || path.join(os.homedir(), 'AppData', 'Local'), 'local-mcp', 'bin') : path.join(os.homedir(), '.local', 'share', 'local-mcp', 'bin') const TRAY_DIR = process.platform === 'win32' ? path.join(process.env.LOCALAPPDATA || path.join(os.homedir(), 'AppData', 'Local'), 'local-mcp', 'tray') : path.join(os.hom --- package/index.js (excerpt) --- #!/usr/bin/env node 'use strict' /** * index.js — entry point del paquete npm local-mcp. * * Modos: * npx local-mcp → instala/actualiza runtime; en terminal interactiva muestra * mensaje de listo y sale (Cursor/Claude lanzan stdio solos) * npx local-mcp setup → wizard de configuración de clientes * npx local-mcp update → fuerza re-descarga del runtime * npx local-mcp uninstall → elimina cache del runtime * npx local-mcp status → muestra estado del servidor local */ const { spawn, execFileSync, execSync } = require('child_process') const path = require('path') const os = require('os') const fs = require('fs') const https = require('https') // Platform support: macOS (full), Windows (Go server), Linux (Go server) const SUPPORTED_PLATFORMS = ['darwin', 'win32', 'linux'] if (!SUPPORTED_PLATFORMS.includes(process.platform)) { console.error(`LMCP is not available for ${process.platform}. Supported: macOS, Windows, Linux.`) process.exit(1) } // Node version guard — Claude Desktop can silently launch LMCP with an old // nvm default (e.g. v11) that makes `npx -y` fail before this file loads. // If this code IS running on an old Node, surface the error clearly so the // user sees it in Claude Desktop's MCP logs instead of a cryptic spawn error. if (parseInt(process.version.slice(1)) < 16) { const msg = `LMCP requires Node 16+. Running ${process.version}.\n` + `If you use nvm, run: --- package/package.json (excerpt) --- { "name": "local-mcp", "version": "3.0.221", "description": "LMCP — connect Claude Desktop, Cursor, Windsurf to Mail, Calendar, Contacts, Teams, OneDrive on macOS. Privacy-first: all data stays on your Mac.", "main": "index.js", "bin": { "local-mcp": "index.js" }, "scripts": { "postinstall": "node postinstall.js" }, "files": [ "index.js", "download.js", "setup.js", "postinstall.js", "README.md" ], "engines": { "node": ">=18" }, "os": [ "darwin", "win32", "linux" ], "keywords": [ "mcp", "model-context-protocol", "mcp-server", "claude", "claude-desktop", "cursor", "windsurf", "vscode", "zed", "ai", "ai-agent", "ai-tools", "macos", "mac", "apple", "mail", "email", "gmail", "outlook", "exchange", "icloud", "calendar", "contacts", "teams", "microsoft-teams", "onedrive", "word", "excel", "powerpoint", "pdf", "local", "privacy", "offline", "no-cloud", "productivity", "automation" ], "author": "LMCP <hello@local-mcp.com>", "license": "SEE LICENSE IN LICENSE", "homepage": "https://local-mcp.com", "repository": { "type": "git", "url": "https://github.com/lanchuske/local-mcp.git" }, "bugs": { "url": "https://github.com/lanchuske/local-mcp/issues" }, "mcpName": "com.local-mcp/local-mcp" }
