registry  /  @stigg/typescript-mcp  /  0.1.0-beta.37

@stigg/typescript-mcp@0.1.0-beta.37

The official MCP Server for the Stigg API

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 2.86 MB of source, external domains: api.stainless.com, blogs.oracle.com, bun.sh, central.sonatype.com, cursor.com, deno.land, developer.android.com, docs.deno.com, docs.oracle.com, docs.pydantic.dev, docs.python.org, edge.api.stigg.io, endoflife.date, example.com, gemdocs.org, github.com, go.dev, img.shields.io, javadoc.io, journal.stuffwithstuff.com, jsr.io, kotlinlang.org, my.test.proxy.example.com, my.test.server.example.com, npmjs.org, pkg.go.dev, pypi.org, raw.githubusercontent.com, semver.org, sorbet.org, square.github.io, vscode.stainless.com, www.github.com, www.guardsquare.com, www.npmjs.com, www.nuget.org, www.python-httpx.org, www.stainless.com

Source & flagged code

4 flagged · loading source
instructions.jsView file
7exports.getInstructions = getInstructions; L8: const promises_1 = __importDefault(require("fs/promises")); L9: const logger_1 = require("./logger.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

instructions.jsView on unpkg · L7
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
Remote tarball dependency specs: jq-web@https://github.com/stainless-api/jq-web/releases/download/v0.8.8/jq-web.tar.gz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg
code-tool-worker.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @stigg/typescript-mcp@0.1.0-beta.35 matchedIdentity = npm:QHN0aWdnL3R5cGVzY3JpcHQtbWNw:0.1.0-beta.35 similarity = 0.878 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

code-tool-worker.jsView on unpkg

Findings

1 Critical1 High4 Medium4 Low
CriticalManifest Confusionpackage.json
HighPrevious Version Dangerous Deltacode-tool-worker.js
MediumDynamic Requireinstructions.js
MediumNetwork
MediumEnvironment Vars
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings