agentation
Audited by Socket on Jun 27, 2026
1 alert found:
Obfuscated FileThe script itself is not an active malware payload, but it materially increases supply-chain and execution risk by programmatically registering an MCP entry that runs 'npx -y agentation-mcp server' across multiple user agent configurations. That deferred execution means installing or running this script without auditing the referenced npm package (agentation-mcp) can lead to arbitrary third-party code execution. Recommend: (1) review the 'agentation-mcp' npm package source and provenance before applying these config changes; (2) avoid '-y' auto-installation flags or change to a pinned, vendored binary; (3) back up existing config files before running and prefer interactive confirmation; (4) prefer using package managers with integrity checks (pnpm/npm with lockfiles) or locally-installed binaries instead of npx auto-fetch.