registry  /  @contextstream/mcp-server  /  0.4.81

@contextstream/mcp-server@0.4.81

⚠ Under review

MCP server that gives AI coding assistants persistent memory, semantic code search, a dependency graph, grounded Q&A, and team context (GitHub/Slack/Notion) — works with Claude Code, Cursor, VS Code Copilot, Windsurf, Cline, and any Model Context Protocol

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 2.20 MB of source, external domains: 0.0.0.0, api.contextstream.io, app.contextstream.io, contextstream.io, github.com, json-schema.org, mcp.contextstream.io, opencode.ai, registry.npmjs.org, static.modelcontextprotocol.io

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
4151import { join } from "path"; L4152: import { spawn } from "child_process"; L4153: function getVersion() {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L4151
4438if (os2 === "win32") { L4439: return "powershell"; L4440: }
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L4438
431issueData, L432: data: ctx.data, L433: path: ctx.path, ... L622: return false; L623: const base64 = header.replace(/-/g, "+").replace(/_/g, "/").padEnd(header.length + (4 - header.length % 4) % 4, "="); L624: const decoded = JSON.parse(atob(base64)); ... L4151: import { join } from "path"; L4152: import { spawn } from "child_process"; L4153: function getVersion() { ... L4158: const require2 = createRequire(import.meta.url); L4159: const pkg = require2("../package.json"); L4160: const version = pkg?.version;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L431
4151import { join } from "path"; L4152: import { spawn } from "child_process"; L4153: function getVersion() { ... L4183: if (!existsSync(cacheFile)) return null; L4184: const data = JSON.parse(readFileSync(cacheFile, "utf-8")); L4185: if (Date.now() - data.checkedAt > CACHE_TTL_MS) return null; ... L7543: Only blocks if the current project is indexed in ContextStream. L7544: If not indexed, allows local tools through with a suggestion to index. L7545: """ ... L40755: } L40756: function getBaseUrl(req) { L40757: const host = req.headers.host || "localhost";
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index.jsView on unpkg · L4151
dist/hooks/session-init.jsView file
18import { join } from "path"; L19: import { spawn } from "child_process"; L20: var NPM_LATEST_URL = "https://registry.npmjs.org/@contextstream/mcp-server/latest"; L21: var AUTO_UPDATE_ENABLED = process.env.CONTEXTSTREAM_AUTO_UPDATE !== "false"; L22: var UPDATE_COMMANDS = {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/hooks/session-init.jsView on unpkg · L18
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L1: #!/usr/bin/env node L2: import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs"; L3: import { homedir } from "os"; ... L10: const binPath = join(__dirname, "..", "dist", "index.js"); L11: const claudeDir = join(homedir(), ".claude"); L12: const claudeSettingsPath = join(claudeDir, "settings.json"); ... L14: L15: // Ensure .claude directory exists L16: if (!existsSync(claudeDir)) { L17: mkdirSync(claudeDir, { recursive: true }); L18: } ... L20: // Store version for update detection Payload evidence from dist/hooks/subagent-stop.js: L9: import { homedir } from "node:os"; L10: var DEFAULT_API_URL = "https://api.contextstream.io"; L11: var HOOK_SPECIFIC_OUTPUT_EVENTS = /* @__PURE__ */ new Set(["PreToolUse", "UserPromptSubmit", "PostToolUse"]); ... L13: try { L14: return JSON.parse(fs.readFileSync(0, "utf8")); L15: } catch { ... L19: function writeHookOutput(output) { L20: const eventName = output?.hookEventName || (typeof process.env.HOOK_EVENT_NAME === "string" ? process.env.HOOK_EVENT_NAME.trim() : ""); L21: const canUseHookSpecificOutput = HOOK_SPECIFIC_OUTPUT_EVENTS.has(eventName); ... L33: function extractCwd(inp…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1
dist/test-server.jsView file
7Cross-file remote execution chain: dist/test-server.js spawns dist/index.js; helper contains network access plus dynamic code execution. L7: // src/test-server.ts L8: import { createServer } from "http"; L9: import { spawn } from "child_process"; L10: import { createInterface } from "readline"; ... L518: issueData, L519: data: ctx.data, L520: path: ctx.path, ... L963: var ipv6CidrRegex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}... L964: var base64Regex = /^([0-9a-zA-Z+/]{4})*(([0-9a-zA-Z+/]{2}==)|([0-9a-zA-Z+/]{3}=))?$/; L965: var base64urlRegex = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/; ... L4054: import { createRequire } from "module"; L4055: var AUTO_UPDATE_ENABLED = process.env.CONTEXTSTREAM_AUTO_UPDATE !== "false";
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/test-server.jsView on unpkg · L7

Findings

1 Critical7 High4 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/hooks/session-init.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighRemote Agent Bridgedist/index.js
HighCross File Remote Execution Contextdist/test-server.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings