registry  /  @trustbaseai/collab-mcp  /  0.3.0

@trustbaseai/collab-mcp@0.3.0

Multi-AI collaboration MCP server - core communication layer

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 128 KB of source, external domains: 127.0.0.1, www.launchd.info

Source & flagged code

5 flagged · loading source
src/cli-install.jsView file
114patternName = generic_password severity = medium line = 114 matchedText = console....rd);
Medium
Secret Pattern

Package contains a possible secret pattern.

src/cli-install.jsView on unpkg · L114
src/service-windows.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @trustbaseai/collab-mcp@0.2.11 matchedIdentity = npm:QHRydXN0YmFzZWFpL2NvbGxhYi1tY3A:0.2.11 similarity = 0.826 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/service-windows.jsView on unpkg
12L13: const { execFileSync } = require('child_process'); L14: const fs = require('fs'); ... L30: fs.mkdirSync(wrapperDir(), { recursive: true }); L31: // bin/collab-mcp.js sits next to package.json in the install root; we L32: // resolve via the package root so the wrapper works regardless of cwd. L33: const pkgRoot = path.resolve(__dirname, '..'); L34: const scriptPath = path.join(pkgRoot, 'bin', 'collab-mcp.js'); ... L65: function installViaScheduledTask(wbat) { L66: // Use schtasks command-line flags instead of XML file to avoid encoding issues. L67: // /sc ONLOGON = trigger on user logon
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/service-windows.jsView on unpkg · L12
src/cli-user.jsView file
63patternName = generic_password severity = medium line = 63 matchedText = console....rd);
Medium
Secret Pattern

Hardcoded password in src/cli-user.js

src/cli-user.jsView on unpkg · L63
93patternName = generic_password severity = medium line = 93 matchedText = console....rd);
Medium
Secret Pattern

Hardcoded password in src/cli-user.js

src/cli-user.jsView on unpkg · L93

Findings

1 High6 Medium4 Low
HighPrevious Version Dangerous Deltasrc/service-windows.js
MediumSecret Patternsrc/cli-install.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/service-windows.js
MediumSecret Patternsrc/cli-user.js
MediumSecret Patternsrc/cli-user.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings