Static Scan Results
scanned 8h ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsObfuscatedUrlStrings
Source & flagged code
3 flagged · loading sourcedist/cli/init.jsView file
11import { stdin, stdout } from "node:process";
L12: import { execSync } from "node:child_process";
L13: import { detectTools } from "./detect-tool.js";
High
4*
L5: * Usage: npx @frase/mcp-server init
L6: *
...
L11: import { stdin, stdout } from "node:process";
L12: import { execSync } from "node:child_process";
L13: import { detectTools } from "./detect-tool.js";
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/cli/init.jsView on unpkg · L4dist/mcpb-bundle.jsView file
2960sourceCode = this.opts.code.process(sourceCode, sch);
L2961: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);
L2962: const validate = makeValidate(this, this.scope.get());
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/mcpb-bundle.jsView on unpkg · L2960Findings
3 High3 Medium7 Low
HighChild Processdist/cli/init.js
HighShell
HighRuntime Package Installdist/cli/init.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/mcpb-bundle.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings