registry  /  @0xmonaco/mcp-server  /  0.8.16

@0xmonaco/mcp-server@0.8.16

⚠ Under review

MCP server for the Monaco SDK

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 1 file(s), 1.19 MB of source, external domains: 4byte.sourcify.dev, abitype.dev, api.etherscan.io, api.monaco.xyz, develop.apimonaco.xyz, docs.0xmonaco.com, docs.soliditylang.org, evm-rpc-testnet.sei-apis.com, evm-rpc.sei-apis.com, github.com, jimmy.warting.se, json-schema.org, oxlib.sh, seiscan.io, staging.apimonaco.xyz, testnet.seiscan.io, viem.sh

Source & flagged code

3 flagged · loading source
dist/bin.jsView file
1#!/usr/bin/env node L2: import{createRequire as Sa}from"node:module";var za=Object.create;var{getPrototypeOf:Ia,defineProperty:qz,getOwnPropertyNames:qa}=Object;var La=Object.prototype.hasOwnProperty;func... L3: Content-Disposition: form-data; name="`;return $.forEach((G,W)=>typeof G=="string"?Y.push(X+Bz(W)+`"\r ... L12: `)).replace(/\n/g,"%0A").replace(/\r/g,"%0D").replace(/"/g,"%22"),SX=($,J,Q)=>{if(J.length<Q)throw TypeError(`Failed to execute '${$}' on 'FormData': ${Q} arguments required, but o... L13: --`+$;let J=new Uint8Array($.length);for(let Q=0;Q<$.length;Q++)J[Q]=$.charCodeAt(Q),this.boundaryChars[J[Q]]=!0;this.boundary=J,this.lookbehind=new Uint8Array(this.boundary.length... L14: `).join(`\r ... L22: || (${W} === "string" && ${X} && ${X} == +${X} && !(${X} % 1))`).assign(V,m$._`+${X}`);return;case"boolean":Y.elseIf(m$._`${X} === "false" || ${X} === 0 || ${X} === null`).assign(V... L23: || ${W} === "boolean" || ${X} === null`).assign(V,m$._`[${X}]`)}}}function QQ$({gen:$,parentData:J,parentDataProperty:Q},Y){$.if(m$._`${J} !== undefined`,()=>$.assign(m$._`${J}[${Q... L24: missingProperty: ${Y}, ... L46: `),{name:"InvalidDefinitionTypeError"})}}});var U1;var z9=o(()=
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/bin.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/bin.js L1: #!/usr/bin/env node L2: import{createRequire as Sa}from"node:module";var za=Object.create;var{getPrototypeOf:Ia,defineProperty:qz,getOwnPropertyNames:qa}=Object;var La=Object.prototype.hasOwnProperty;func... L3: Content-Disposition: form-data; name="`;return $.forEach((G,W)=>typeof G=="string"?Y.push(X+Bz(W)+`"\r ... L12: `)).replace(/\n/g,"%0A").replace(/\r/g,"%0D").replace(/"/g,"%22"),SX=($,J,Q)=>{if(J.length<Q)throw TypeError(`Failed to execute '${$}' on 'FormData': ${Q} arguments required, but o... L13: --`+$;let J=new Uint8Array($.length);for(let Q=0;Q<$.length;Q++)J[Q]=$.charCodeAt(Q),this.boundaryChars[J[Q]]=!0;this.boundary=J,this.lookbehind=new Uint8Array(this.boundary.length... L14: `).join(`\r ... L22: || (${W} === "string" && ${X} && ${X} == +${X} && !(${X} % 1))`).assign(V,m$._`+${X}`);return;case"boolean":Y.elseIf(m$._`${X} === "false" || ${X} === 0 || ${X} === null`).assign(V... L23: || ${W} === "boolean" || ${X} === null`).assign(V,m$._`[${X}]`)}}}function QQ$({gen:$,parentData:J,parentDataProperty:Q},Y){$.if(m$._`${J} !== undefined`,()=>$.assign(m$._`${J}[${Q... L24: missingProperty: ${Y}, ... L46: `),{name:…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bin.jsView on unpkg · L1
65\r L66: `),Y=!1,X=!1,G;$.on("response",(W)=>{let{headers:V}=W;Y=V["transfer-encoding"]==="chunked"&&!V["content-length"]}),$.on("socket",(W)=>{let V=()=>{if(Y&&!X){let D=Error("Premature c... L67: `)}var fY=($)=>(J,Q,Y,X)=>{let G=Y?{...Y,async:!1}:{async:!1},W=J._zod.run({value:Q,issues:[]},G);if(W instanceof Promise)throw new OJ;if(W.issues.length){let V=new(X?.Err??$)(W.is...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/bin.jsView on unpkg · L65

Findings

2 Critical5 Medium6 Low
CriticalWallet Draindist/bin.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEvaldist/bin.js
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License