registry  /  @zegazone_mcp/mcp  /  2.0.17

@zegazone_mcp/mcp@2.0.17

MCP server wrapper for Zegazone thirdparty-v1 API

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 16 file(s), 91.4 KB of source, external domains: 127.0.0.1, api.zegaphone.com, www.zegazone.com

Source & flagged code

1 flagged · loading source
scripts/oauth-pair.mjsView file
7* Env: L8: * ZEGA_API_BASE optional, default https://api.zegaphone.com (or prior credentials.json api_base) L9: * ZEGA_APP_BASE optional, default https://www.zegazone.com ... L20: import os from "node:os"; L21: import { spawn } from "node:child_process"; L22: ... L31: const raw = fs.readFileSync(credPath, "utf8"); L32: const parsed = JSON.parse(raw); L33: if (typeof parsed.api_base === "string" && parsed.api_base.trim()) { ... L42: function resolveApiBase(credPath) { L43: const fromEnv = process.env.ZEGA_API_BASE?.trim(); L44: if (fromEnv) return normalizeApiBase(fromEnv);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/oauth-pair.mjsView on unpkg · L7

Findings

1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilityscripts/oauth-pair.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License