registry  /  @productbrain/mcp  /  0.0.1-beta.2143

@productbrain/mcp@0.0.1-beta.2143

Product Brain — MCP server for AI-assisted product knowledge management

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 6 file(s), 745 KB of source, external domains: claude.ai, eu.i.posthog.com, fonts.googleapis.com, fonts.gstatic.com, gateway.productbrain.io, productbrain.io, work.productbrain.io

Source & flagged code

3 flagged · loading source
dist/chunk-IZZBRF2F.jsView file
6551// src/lib/coherence/git-detection.ts L6552: import { execSync } from "child_process"; L6553: function detectTouchedRegistries(projectRoot) {
High
Child Process

Package source references child process execution.

dist/chunk-IZZBRF2F.jsView on unpkg · L6551
dist/setup-EALJFCQF.jsView file
14// src/cli/setup.ts L15: import { execSync } from "child_process"; L16: import { createInterface } from "readline"; ... L18: import { join } from "path"; L19: var APP_URL = process.env.PRODUCTBRAIN_APP_URL ?? "https://work.productbrain.io"; L20: function bold(s) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/setup-EALJFCQF.jsView on unpkg · L14
14// src/cli/setup.ts L15: import { execSync } from "child_process"; L16: import { createInterface } from "readline"; ... L18: import { join } from "path"; L19: var APP_URL = process.env.PRODUCTBRAIN_APP_URL ?? "https://work.productbrain.io"; L20: function bold(s) { ... L32: function log(msg) { L33: process.stdout.write(`${msg} L34: `); ... L36: function openBrowser(url) { L37: const platform = process.platform; L38: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/setup-EALJFCQF.jsView on unpkg · L14

Findings

4 High3 Medium7 Low
HighChild Processdist/chunk-IZZBRF2F.js
HighShell
HighSame File Env Network Executiondist/setup-EALJFCQF.js
HighSandbox Evasion Gated Capabilitydist/setup-EALJFCQF.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License