registry  /  @hybridlabor-api/bdb-antigravity-skills  /  1.2.3

@hybridlabor-api/bdb-antigravity-skills@1.2.3

Optimized Antigravity skills and MCP pack for BDB DEV

Static Scan Results

scanned 48m ago · by rust-scanner

Static analysis flagged 23 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,775 file(s), 13.4 MB of source, external domains: 10.0.0.5, 127.0.0.1, 127.0.0.2, 127.0.0.3, 192.168.1.50, api.anthropic.com, api.apify.com, api.artic.edu, api.daydream.live, api.europeana.eu, api.example.com, api.github.com, api.openai.com, api.si.edu, api.telegram.org, clevelandart.org, codeload.github.com, collectionapi.metmuseum.org, commons.wikimedia.org, console.apify.com, creativecommons.org, data.rijksmuseum.nl, derivative.ca, docs.derivative.ca, evil.example.com, evil.test, example.com, example.invalid, example.org, example.test, github.com, id.rijksmuseum.nl, ids.si.edu, iiif.micr.io, images.metmuseum.org, llm.local, llm.test, nodejs.org, ollama.com, ollama.local, openaccess-api.clevelandart.org, openaccess-cdn.clevelandart.org, prod.spline.design, raw.githubusercontent.com, rightsstatements.org, staging.daydream.live, td.local, upload.wikimedia.org, www.artic.edu, www.europeana.eu

Source & flagged code

16 flagged · loading source
mcps/unreal_mcp/.env.productionView file
patternName = blocked_file severity = critical matchedText = mcps/unreal_mcp/.env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

mcps/unreal_mcp/.env.productionView on unpkg
mcps/davinci-resolve-mcp/bin/davinci-resolve-mcp.mjsView file
2L3: import { spawn, spawnSync } from "node:child_process"; L4: import fs from "node:fs";
High
Child Process

Package source references child process execution.

mcps/davinci-resolve-mcp/bin/davinci-resolve-mcp.mjsView on unpkg · L2
mcps/unreal_mcp/src/tools/handlers/pipeline/pipeline-ubt-discovery.tsView file
6L7: const execAsync = util.promisify(exec); L8:
High
Shell

Package source references shell execution.

mcps/unreal_mcp/src/tools/handlers/pipeline/pipeline-ubt-discovery.tsView on unpkg · L6
mcps/unreal_mcp/src/utils/commands/command-validator.tsView file
35'import os', 'import subprocess', 'subprocess.', 'os.system', L36: 'exec(', 'eval(', '__import__', 'import sys', 'import importlib', L37: 'with open', 'open(', 'write(', 'read('
Low
Eval

Package source references a known benign dynamic code generation pattern.

mcps/unreal_mcp/src/utils/commands/command-validator.tsView on unpkg · L35
mcps/adobe_uxp_mcp/plugins/photoshop/index.jsView file
1const { app, core } = require("photoshop"); L2:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

mcps/adobe_uxp_mcp/plugins/photoshop/index.jsView on unpkg · L1
mcps/unreal_mcp/src/automation/request-tracker.tsView file
16export class RequestTracker { L17: private pendingRequests = new Map<string, PendingRequest>(); L18: private coalescedRequests = new Map<string, Promise<AutomationBridgeResponseMessage>>();
Low
Weak Crypto

Package source references weak cryptographic algorithms.

mcps/unreal_mcp/src/automation/request-tracker.tsView on unpkg · L16
mcps/tdmcp/scripts/setup.mjsView file
7// real absolute path already filled in. Pure Node builtins, no dependencies. L8: import { spawnSync } from "node:child_process"; L9: import { existsSync } from "node:fs"; ... L17: function say(msg = "") { L18: process.stdout.write(`${msg}\n`); L19: } ... L25: stdio: "inherit", L26: shell: process.platform === "win32", L27: }); ... L39: say(`✖ Node ${process.versions.node} detected — tdmcp needs Node 20 or newer.`); L40: say(" Install it from https://nodejs.org and run `npm run setup` again."); L41: process.exit(1);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

mcps/tdmcp/scripts/setup.mjsView on unpkg · L7
mcps/RhinoMCP/connector/build.mjsView file
32L33: const res = spawnSync("npx", ["--yes", "@anthropic-ai/mcpb", "pack", stage, out], { L34: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

mcps/RhinoMCP/connector/build.mjsView on unpkg · L32
mcps/computer-use-mcp/computer-use-napi.darwin-arm64.nodeView file
path = mcps/computer-use-mcp/computer-use-napi.darwin-arm64.node kind = native_binary sizeBytes = 1206144 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

mcps/computer-use-mcp/computer-use-napi.darwin-arm64.nodeView on unpkg
mcps/davinci-resolve-mcp/tests/test_resolve21_actions.pyView file
path = mcps/davinci-resolve-mcp/tests/test_resolve21_actions.py kind = payload_in_excluded_dir sizeBytes = 15092 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

mcps/davinci-resolve-mcp/tests/test_resolve21_actions.pyView on unpkg
path = mcps/davinci-resolve-mcp/tests/test_resolve21_actions.py kind = build_helper sizeBytes = 15092 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mcps/davinci-resolve-mcp/tests/test_resolve21_actions.pyView on unpkg
skills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gzView file
path = skills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gz kind = compressed_blob sizeBytes = 19967 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

skills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gzView on unpkg
mcps/RhinoMCP/art/logo.afdesignView file
path = mcps/RhinoMCP/art/logo.afdesign kind = high_entropy_blob sizeBytes = 62214 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

mcps/RhinoMCP/art/logo.afdesignView on unpkg
mcps/tdmcp/tests/unit/macroRecorder.test.tsView file
107patternName = generic_password severity = medium line = 107 matchedText = password...d]",
Medium
Secret Pattern

Hardcoded password in mcps/tdmcp/tests/unit/macroRecorder.test.ts

mcps/tdmcp/tests/unit/macroRecorder.test.tsView on unpkg · L107
skills/global_config/playwright-skill/lib/helpers.jsView file
208patternName = generic_password severity = medium line = 208 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in skills/global_config/playwright-skill/lib/helpers.js

skills/global_config/playwright-skill/lib/helpers.jsView on unpkg · L208
skills/global_legacy/playwright-skill/lib/helpers.jsView file
208patternName = generic_password severity = medium line = 208 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in skills/global_legacy/playwright-skill/lib/helpers.js

skills/global_legacy/playwright-skill/lib/helpers.jsView on unpkg · L208

Findings

1 Critical6 High10 Medium6 Low
CriticalCritical Secretmcps/unreal_mcp/.env.production
HighChild Processmcps/davinci-resolve-mcp/bin/davinci-resolve-mcp.mjs
HighShellmcps/unreal_mcp/src/tools/handlers/pipeline/pipeline-ubt-discovery.ts
HighSandbox Evasion Gated Capabilitymcps/tdmcp/scripts/setup.mjs
HighRuntime Package Installmcps/RhinoMCP/connector/build.mjs
HighShips High Entropy Blobmcps/RhinoMCP/art/logo.afdesign
HighPayload In Excluded Dirmcps/davinci-resolve-mcp/tests/test_resolve21_actions.py
MediumDynamic Requiremcps/adobe_uxp_mcp/plugins/photoshop/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarymcps/computer-use-mcp/computer-use-napi.darwin-arm64.node
MediumShips Build Helpermcps/davinci-resolve-mcp/tests/test_resolve21_actions.py
MediumShips Compressed Blobskills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gz
MediumStructural Risk Force Deep Review
MediumSecret Patternmcps/tdmcp/tests/unit/macroRecorder.test.ts
MediumSecret Patternskills/global_config/playwright-skill/lib/helpers.js
MediumSecret Patternskills/global_legacy/playwright-skill/lib/helpers.js
LowEvalmcps/unreal_mcp/src/utils/commands/command-validator.ts
LowWeak Cryptomcps/unreal_mcp/src/automation/request-tracker.ts
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings