registry  /  @stigg/typescript-mcp  /  0.1.0-beta.43

@stigg/typescript-mcp@0.1.0-beta.43

The official MCP Server for the Stigg API

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The default MCP server exposes an `execute` tool that can run caller-provided TypeScript against a Stigg SDK client. Remote mode sends Stigg connection credentials to the Stainless code-tool endpoint; local mode dynamically evaluates the supplied code in a Deno worker.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User starts the MCP server and an MCP client invokes the default `execute` tool.
Impact
An MCP client can cause Stigg API operations; default remote execution discloses the Stigg API key and base URL to the configured Stainless endpoint.
Mechanism
Default-enabled remote/local caller-supplied code execution with credential forwarding.
Rationale
No evidence supports malicious install-time behavior or covert persistence. The package nevertheless defaults to a powerful MCP code-execution surface that forwards service credentials to a remote endpoint, so it warrants a warning rather than a clean verdict.
Evidence
package.jsonsrc/server.tssrc/options.tssrc/code-tool.tssrc/code-tool-worker.tssrc/index.ts
Network endpoints1
api.stainless.com/api/ai/code-tool

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/server.ts` enables the `execute` MCP tool by default.
  • `src/code-tool.ts` defaults execution to a Stainless-hosted sandbox.
  • `src/code-tool.ts` forwards `STIGG_API_KEY`/base URL to `api.stainless.com` in a request header.
  • `src/code-tool-worker.ts` dynamically imports caller-supplied TypeScript for local execution.
  • `src/options.ts` permits local execution and leaves all SDK methods allowed unless configured.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `src/index.ts` starts only when invoked as the CLI entrypoint.
  • No package source writes files, alters agent configuration, or establishes persistence.
  • The remote execution, docs search, and credential flow are named, configurable MCP features.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 2.90 MB of source, external domains: api.stainless.com, blogs.oracle.com, bun.sh, central.sonatype.com, cursor.com, deno.land, developer.android.com, docs.deno.com, docs.oracle.com, docs.pydantic.dev, docs.python.org, edge.api.stigg.io, endoflife.date, example.com, gemdocs.org, github.com, go.dev, img.shields.io, javadoc.io, journal.stuffwithstuff.com, jsr.io, kotlinlang.org, my.test.proxy.example.com, my.test.server.example.com, npmjs.org, pkg.go.dev, pypi.org, raw.githubusercontent.com, semver.org, sorbet.org, square.github.io, vscode.stainless.com, www.github.com, www.guardsquare.com, www.npmjs.com, www.nuget.org, www.python-httpx.org, www.stainless.com

Source & flagged code

4 flagged · loading source
instructions.jsView file
7exports.getInstructions = getInstructions; L8: const promises_1 = __importDefault(require("fs/promises")); L9: const logger_1 = require("./logger.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

instructions.jsView on unpkg · L7
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
Remote tarball dependency specs: jq-web@https://github.com/stainless-api/jq-web/releases/download/v0.8.8/jq-web.tar.gz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg
code-tool-worker.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @stigg/typescript-mcp@0.1.0-beta.40 matchedIdentity = npm:QHN0aWdnL3R5cGVzY3JpcHQtbWNw:0.1.0-beta.40 similarity = 0.878 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

code-tool-worker.jsView on unpkg

Findings

1 Critical1 High4 Medium4 Low
CriticalManifest Confusionpackage.json
HighPrevious Version Dangerous Deltacode-tool-worker.js
MediumDynamic Requireinstructions.js
MediumNetwork
MediumEnvironment Vars
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings