registry  /  @soumyaprasadrana/maximo-mcp-server  /  1.2.0

@soumyaprasadrana/maximo-mcp-server@1.2.0

Enterprise MCP server for IBM Maximo with metadata-aware query building and staged working set operations.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 71 file(s), 1.54 MB of source, external domains: maximo.example.com

Source & flagged code

3 flagged · loading source
dist/metadataengine/MetadataEngine.jsView file
1const _0x4c919c=_0x36d3;(function(_0x387584,_0x29c2b2){const _0x325d2c=_0x36d3,_0x2a2ace=_0x387584();while(!![]){try{const _0x48e92f=-parseInt(_0x325d2c(0x4a4,'PR5x'))/(0x1*-0x18f2...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/metadataengine/MetadataEngine.jsView on unpkg · L1
cli.jsView file
6Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network L6: const __filename = fileURLToPath(import.meta.url); L7: const __dirname = path.dirname(__filename); L8: ... L11: function readVersion() { L12: const versionFromEnv = process.env.npm[redacted]?.trim(); L13: if (versionFromEnv) return versionFromEnv; L14: try { L15: const pkgPath = path.join(__dirname, "package.json"); L16: const raw = fs.readFileSync(pkgPath, "utf8"); L17: const pkg = JSON.parse(raw); L18: if (typeof pkg?.version === "string" && pkg.version.trim()) { ... L137: --reconcile-sync MCP_RECONCILE_SYNC block startup until sync done;
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

cli.jsView on unpkg · L6
dist/tools/dev/index.jsView file
1const _0x5b2af6=_0x5cbe;(function(_0x2c7a4c,_0xdaee48){const _0x1f1418=_0x5cbe,_0x468333=_0x2c7a4c();while(!![]){try{const _0xb9f882=parseInt(_0x1f1418(0x1fe,'Xb@W'))/(0x1d3f+0x3*-...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/tools/dev/index.jsView on unpkg · L1

Findings

3 High3 Medium5 Low
HighEntrypoint Build Divergencecli.js
HighObfuscated Payload Loaderdist/tools/dev/index.js
HighObfuscated
MediumDynamic Requiredist/metadataengine/MetadataEngine.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License