registry  /  @onyxsecurity/mcp-gateway  /  1.0.121

@onyxsecurity/mcp-gateway@1.0.121

A TypeScript SSE proxy for MCP servers that use stdio transport.

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 18 file(s), 787 KB of source, external domains: example.com, github.com

Source & flagged code

5 flagged · loading source
dist/transportDetection-CKK1yKFe.jsView file
1import{OAuthError as e,SSEClientTransport as t,StreamableHTTPClientTransport as n,[redacted] as r,[redacted] as i,exchangeAutho... L2: <html lang="en">
High
Child Process

Package source references child process execution.

dist/transportDetection-CKK1yKFe.jsView on unpkg · L1
1import{OAuthError as e,SSEClientTransport as t,StreamableHTTPClientTransport as n,[redacted] as r,[redacted] as i,exchangeAutho... L2: <html lang="en">
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/transportDetection-CKK1yKFe.jsView on unpkg · L1
1import{OAuthError as e,SSEClientTransport as t,StreamableHTTPClientTransport as n,[redacted] as r,[redacted] as i,exchangeAutho... L2: <html lang="en">
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/transportDetection-CKK1yKFe.jsView on unpkg · L1
dist/helpers-BPQVbZuN.jsView file
1import{__commonJSMin as e,__toESM as t}from"./chunk-CrDKVgUD.js";import{createRequire as n}from"node:module";import{readFileSync as r,readdirSync as i}from"node:fs";import{format a... L2: `).map(e=>e.split(` `)),n=0;return t.forEach(e=>{e.length>1&&C.stringWidth(e[0])>n&&(n=Math.min(Math.floor(this.width*.5),C.stringWidth(e[0])))}),t.forEach(e=>{this.div(...e.map((t...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/helpers-BPQVbZuN.jsView on unpkg · L1
1import{__commonJSMin as e,__toESM as t}from"./chunk-CrDKVgUD.js";import{createRequire as n}from"node:module";import{readFileSync as r,readdirSync as i}from"node:fs";import{format a... L2: `).map(e=>e.split(` `)),n=0;return t.forEach(e=>{e.length>1&&C.stringWidth(e[0])>n&&(n=Math.min(Math.floor(this.width*.5),C.stringWidth(e[0])))}),t.forEach(e=>{this.div(...e.map((t... ... L4: `):e.text.split(` L5: `),e.border&&(r.unshift(`.`+`-`.repeat(this.negatePadding(e)+2)+`.`),r.push(`'`+`-`.repeat(this.negatePadding(e)+2)+`'`)),e.padding&&(r.unshift(...Array(e.padding[0]||0).fill(``)),... L6: `),l=[...c],u=0;for(let[e,t]of l.entries()){if(r+=t,Me.has(t)){let{groups:e}=RegExp(`(?:\\[(?<code>\\d+)m|\\${Ne}(?<uri>.*))`).exec(c.slice(u))||{groups:{}};if(e.code!==void 0){le... ... L29: */ L30: var D;(function(e){e.BOOLEAN=`boolean`,e.STRING=`string`,e.NUMBER=`number`,e.ARRAY=`array`})(D||={});let O;var qe=class{constructor(e){O=e}parse(e,t){let n=Object.assign({alias:voi... L31: `);b.div(`${e}\n`)}return b.toString().replace(/\s*$/,``)};function _(e,n,r){let i=0;return Array.isArray(e)||(e=Object.values(e).map(e=>[e])),e.forEach(e=>{i=Math.max(t.stringWidt... ... L35: # L36: # Installation:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/helpers-BPQVbZuN.jsView on unpkg · L1

Findings

3 High5 Medium7 Low
HighChild Processdist/transportDetection-CKK1yKFe.js
HighSame File Env Network Executiondist/transportDetection-CKK1yKFe.js
HighCommand Output Exfiltrationdist/transportDetection-CKK1yKFe.js
MediumDynamic Requiredist/helpers-BPQVbZuN.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/helpers-BPQVbZuN.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License