registry  /  @myelixlabs/synapse-mcp  /  0.0.0-v2-1-34rc1

@myelixlabs/synapse-mcp@0.0.0-v2-1-34rc1

Installer/launcher shim for Synapse MCP.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chain
UrlStrings
Manifest
NoLicense
scanned 4 file(s), 13.7 KB of source, external domains: downloads.synapse-mcp.dev

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/synapse-mcp.js install --quiet
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/synapse-mcp.js install --quiet
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/synapse-mcp.jsView file
2L3: const { spawnSync } = require('child_process'); L4: const { install, resolvePaths } = require('../lib/install');
High
Child Process

Package source references child process execution.

bin/synapse-mcp.jsView on unpkg · L2
2L3: const { spawnSync } = require('child_process'); L4: const { install, resolvePaths } = require('../lib/install'); ... L17: function usage() { L18: console.error('Usage: npx @myelixlabs/synapse-mcp <command> [args]'); L19: console.error('Commands:');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/synapse-mcp.jsView on unpkg · L2
lib/install.jsView file
3const crypto = require('crypto'); L4: const childProcess = require('child_process'); L5: L6: const DEFAULT_BASE_URL = 'https://downloads.synapse-mcp.dev/synapse-mcp'; L7: ... L17: function resolvePaths(options = {}) { L18: const baseUrl = options.baseUrl || process.env.SYNAPSE_MCP_BASE_URL || DEFAULT_BASE_URL; L19: const installDir = options.installDir || process.env.SYNAPSE_MCP_INSTALL_DIR || path.join(process.env.HOME || process.env.USERPROFILE, '.synapse-mcp');
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/install.jsView on unpkg · L3
3const crypto = require('crypto'); L4: const childProcess = require('child_process'); L5: L6: const DEFAULT_BASE_URL = 'https://downloads.synapse-mcp.dev/synapse-mcp'; L7: L8: function platformId() { L9: if (process.platform === 'linux' && process.arch === 'x64') return 'linux-x86_64'; L10: if (process.platform === 'linux' && process.arch === 'arm64') return 'linux-aarch64'; ... L17: function resolvePaths(options = {}) { L18: const baseUrl = options.baseUrl || process.env.SYNAPSE_MCP_BASE_URL || DEFAULT_BASE_URL; L19: const installDir = options.installDir || process.env.SYNAPSE_MCP_INSTALL_DIR || path.join(process.env.HOME || process.env.USERPROFILE, '.synapse-mcp'); ... L33: if (result.status !== 0) return null;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/install.jsView on unpkg · L3

Findings

5 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/synapse-mcp.js
HighSame File Env Network Executionlib/install.js
HighSandbox Evasion Gated Capabilitylib/install.js
HighRuntime Package Installbin/synapse-mcp.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License