registry  /  @aborruso/italianparliament-mcp  /  0.22.0

@aborruso/italianparliament-mcp@0.22.0

CLI and MCP server for querying Italian Parliament SPARQL endpoints (Camera dei Deputati and Senato della Repubblica)

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 72 file(s), 2.05 MB of source, external domains: aic.camera.it, dati.camera.it, dati.senato.it, documenti.camera.it, example.org, github.com, json-schema.org, lod.xdams.org, mathiasbynens.be, purl.org, raw.githubusercontent.com, www.camera.it, www.senato.it, www.w3.org, xmlns.com

Source & flagged code

5 flagged · loading source
dist/worker.jsView file
670patternName = generic_password severity = medium line = 670 matchedText = )`,enabl...,`\r
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/worker.jsView on unpkg · L670
4|| (${a} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(s,(0,X._)`+${o}`);return;case"boolean":n.elseIf((0,X._)`${o} === "false" || ${o} === 0 || ${o} === null`).as... L5: || ${a} === "boolean" || ${o} === null`).assign(s,(0,X._)`[${o}]`)}}}function dE({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,X._)`${t} !== undefined`,()=>e.assign((0,X._)`... L6: missingProperty: ${n},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/worker.jsView on unpkg · L4
dist/core/fetch-text.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @aborruso/italianparliament-mcp@0.16.0 matchedIdentity = npm:[redacted]:0.16.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/fetch-text.jsView on unpkg
dist/index.jsView file
7905patternName = generic_password severity = medium line = 7905 matchedText = password...d]",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L7905
dist/cli.jsView file
7834patternName = generic_password severity = medium line = 7834 matchedText = password...d]",
Medium
Secret Pattern

Hardcoded password in dist/cli.js

dist/cli.jsView on unpkg · L7834

Findings

1 High5 Medium7 Low
HighPrevious Version Dangerous Deltadist/core/fetch-text.js
MediumSecret Patterndist/worker.js
MediumNetwork
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.js
MediumSecret Patterndist/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/worker.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings