registry  /  @orangepro/orangepro-mcp  /  0.2.4

@orangepro/orangepro-mcp@0.2.4

OrangePro (`opro`) — a local-first, BYOK CLI + MCP server that builds an evidence graph from a local checkout, ingests runtime coverage, and generates grounded tests. Metadata-only exports; no source upload; generated tests stay local.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 99 file(s), 1.86 MB of source, external domains: api.anthropic.com, api.openai.com, app.orangepro.ai, cli.github.com, d3js.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist/local/score/risk.jsView file
1import { execFileSync } from "node:child_process"; L2: const ENTRY_PATH_RE = /(^|\/)(routes?|controllers?|handlers?|jobs?|workers?|processors?|queues?|consumers?|subscribers?|listeners?|server|cmd)\//i;
High
Child Process

Package source references child process execution.

dist/local/score/risk.jsView on unpkg · L1
dist/local/viz/d3.bundle.jsView file
2// Vendored D3 v7 (from d3js.org, ISC) for the offline graph explorer. L3: export const D3_SOURCE = "\n// https://d3js.org v7.9.0 Copyright 2010-2023 Mike Bostock\n!function(t,n){\"object\"==typeof exports&&\"undefined\"!=typeof module?n(exports):\"functi...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/local/viz/d3.bundle.jsView on unpkg · L2
dist/local/generate/compareReport.jsView file
229const nb = clause.namedBindings; L230: if (nb && ts.isNamespaceImport(nb)) L231: out.set(nb.name.text, `*@${mod}`);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/local/generate/compareReport.jsView on unpkg · L229
dist/local/operations.jsView file
1Cross-file remote execution chain: dist/local/operations.js spawns dist/local/viz/html.js; helper contains network access plus dynamic code execution. L1: import { execFileSync, spawnSync } from "node:child_process"; L2: import { existsSync, mkdirSync, readFileSync, renameSync, statSync, writeFileSync } from "node:fs"; ... L53: function defaultDeps() { L54: return { clock: systemClock, env: process.env }; L55: } ... L145: return { L146: stdout: child.stdout ?? "", L147: stderr: child.stderr ?? "", ... L152: try { L153: return JSON.parse(stdout); L154: } ... L702: pr: prNumber,
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/local/operations.jsView on unpkg · L1
scripts/spikes/python-mutate.pyView file
path = scripts/spikes/python-mutate.py kind = build_helper sizeBytes = 3086 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/spikes/python-mutate.pyView on unpkg

Findings

3 High5 Medium6 Low
HighChild Processdist/local/score/risk.js
HighShell
HighCross File Remote Execution Contextdist/local/operations.js
MediumDynamic Requiredist/local/generate/compareReport.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/spikes/python-mutate.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/local/viz/d3.bundle.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings