sensorium-mcp @3.0.95
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10747
Ecosystem
npm
Summary
sensorium-mcp starts a background poller against api.telegram.org/getUpdates and delivers received message text as prompts to locally spawned Claude Code (invoked with --dangerously-skip-permissions) and Codex (invoked with --dangerously-bypass-approvals-and-sandbox). Because the agents' approval/sandbox prompts are disabled by the package, any party holding the Telegram bot token and chat id can issue instructions that execute as shell and file operations on the installer's host. The keepAlive threads auto-launch when the server is started. In addition, the MCP send_file tool accepts any absolute path inside the installer's cwd or home directory, reads the file, and uploads it to the configured Telegram chat via telegram.sendDocument, exposing paths such as ~/.ssh/id_rsa, ~/.aws/credentials, and ~/.npmrc to whoever controls the bot. The ping-related patterns flagged in dist/http-server.js and dist/services/self-update.service.js are health-check / keepalive references and are not the primary basis for this verdict.
Source: amazon-inspector (73c4ac95caf91cb047bab32d5202efa2dfc2e4f84a032160419a7c30739da91c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.