registry  /  @cyanheads/mcp-ts-core  /  0.10.12

@cyanheads/mcp-ts-core@0.10.12

Agent-native TypeScript framework for building MCP servers. Declarative definitions with auth, multi-backend storage, OpenTelemetry, and first-class support for Bun/Node/Cloudflare Workers.

Static Scan Results

scanned 12h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 203 file(s), 1.39 MB of source, external domains: api.elevenlabs.io, api.openai.com, github.com, img.shields.io, json-schema.org, openrouter.ai, schema.org, unpkg.com, www.npmjs.com

Source & flagged code

5 flagged · loading source
dist/utils/parsing/xmlParser.jsView file
20return _fxp; L21: _fxp = await import(FXP_MODULE).catch(() => { L22: throw configurationError('Install "fast-xml-parser" to use XML parsing: bun add fast-xml-parser');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/utils/parsing/xmlParser.jsView on unpkg · L20
dist/utils/network/fetchWithTimeout.jsView file
47/** L48: * IPv4 patterns for private/reserved ranges that should be blocked when L49: * `rejectPrivateIPs` is enabled. Covers RFC 1918, loopback, link-local, ... L153: } L154: // `node:dns/promises` is available in Node, Bun, and Workers under L155: // `nodejs_compat`. `isNode` covers all three. ... L178: const [ipv4Results, ipv6Results] = await Promise.allSettled([ L179: dns.resolve4(hostname), L180: dns.resolve6(hostname), ... L243: * ); L244: * const data = await response.json(); L245: *
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/utils/network/fetchWithTimeout.jsView on unpkg · L47
dist/utils/security/sanitization.jsView file
661patternName = generic_password severity = medium line = 661 matchedText = * // => ... } }
Medium
Secret Pattern

Hardcoded password in dist/utils/security/sanitization.js

dist/utils/security/sanitization.jsView on unpkg · L661
dist/utils/security/sanitization.d.tsView file
381patternName = generic_password severity = medium line = 381 matchedText = * // => ... } }
Medium
Secret Pattern

Hardcoded password in dist/utils/security/sanitization.d.ts

dist/utils/security/sanitization.d.tsView on unpkg · L381
skills/api-utils/references/security.mdView file
95patternName = generic_password severity = medium line = 95 matchedText = // { pas...e' }
Medium
Secret Pattern

Hardcoded password in skills/api-utils/references/security.md

skills/api-utils/references/security.mdView on unpkg · L95

Findings

1 High7 Medium4 Low
HighCloud Metadata Accessdist/utils/network/fetchWithTimeout.js
MediumDynamic Requiredist/utils/parsing/xmlParser.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/utils/security/sanitization.js
MediumSecret Patterndist/utils/security/sanitization.d.ts
MediumSecret Patternskills/api-utils/references/security.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings