registry  /  @dypai-ai/mcp  /  1.7.5

@dypai-ai/mcp@1.7.5

DYPAI MCP Server — AI agent toolkit for building and deploying full-stack apps

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 52 file(s), 770 KB of source, external domains: dyapi.dypai.dev, github.com, hooks.example.com, mcp.dypai.dev, registry.npmjs.org

Source & flagged code

2 flagged · loading source
src/tools/scaffold.jsView file
132try { L133: const { execSync } = await import("child_process") L134: execSync("npm install", { cwd: directory, stdio: "pipe", timeout: 60000 })
High
Child Process

Package source references child process execution.

src/tools/scaffold.jsView on unpkg · L132
src/auto-update.jsView file
4* On every startup, checks the npm registry for a newer version. If found, performs L5: * the appropriate update (clear npx cache or `npm install -g`) and exits with L6: * code 0 so the host (Cursor / Claude / Trae / VSCode) re-spawns the process ... L15: import { homedir, tmpdir } from "node:os"; L16: import { execSync } from "node:child_process"; L17:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/auto-update.jsView on unpkg · L4

Findings

3 High3 Medium5 Low
HighChild Processsrc/tools/scaffold.js
HighShell
HighRuntime Package Installsrc/auto-update.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings