registry  /  @lousy-agents/mcp  /  5.17.0

@lousy-agents/mcp@5.17.0

⚠ Under review

MCP server for lousy-agents - provides AI coding assistant tools via the Model Context Protocol

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
WildcardDependency
scanned 9 file(s), 609 KB of source, external domains: api.github.com, bitbucket.com, bitbucket.org, caniuse.com, gist.github.com, git.sr.ht, github.com, gitlab.com, jmrware.com, json-schema.org, mathiasbynens.be, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.w3.org
Oversized source lightweight scan
dist/mcp-server.js2.38 MB file, sampled 256 KB
ChildProcessEvalHighEntropyStringsUrlStringscaniuse.comgist.github.comgithub.comjmrware.comjson-schema.orgmathiasbynens.bespec.openapis.orgstackoverflow.comtools.ietf.orgwww.w3.org

Source & flagged code

3 flagged · loading source
dist/913.jsView file
21contains invisible/control Unicode U+FEFF (zero width no-break space) `?(c++,l=0):e?l+=e.length:l++,e&&(s+=e.length),e}let S={default(){switch(v){case` `:case`\v`:case`\f`:case` `:case`\xA0`:case`<U+FEFF>`:case`
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/913.jsView on unpkg · L21
dist/mcp-server.jsView file
path = dist/mcp-server.js kind = oversized_source_file sizeBytes = 2494262 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/mcp-server.jsView on unpkg
path = dist/mcp-server.js kind = oversized_cli_entrypoint sizeBytes = 2494262 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/mcp-server.jsView on unpkg

Findings

1 Critical1 High5 Medium6 Low
CriticalTrojan Source Unicodedist/913.js
HighOversized Source Filedist/mcp-server.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/mcp-server.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings