registry  /  converse-mcp-server  /  2.29.2

converse-mcp-server@2.29.2

Converse MCP Server - Converse with other LLMs with chat and consensus tools

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 762 KB of source, external domains: antigravity.google, api.deepseek.com, api.x.ai, github.com, openrouter.ai

Source & flagged code

2 flagged · loading source
bin/converse.jsView file
38const indexPath = join(projectRoot, 'src/index.js'); L39: const { main } = await import(pathToFileURL(indexPath).href); L40:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/converse.jsView on unpkg · L38
src/providers/gemini-cli.jsView file
380package = converse-mcp-server; repositoryIdentity = converse; dependency = @lydell/node-pty L380: try { L381: const mod = await import('@lydell/node-pty'); L382: return mod.default || mod;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

src/providers/gemini-cli.jsView on unpkg · L380

Findings

1 High4 Medium4 Low
HighCopied Package Dependency Bridgesrc/providers/gemini-cli.js
MediumDynamic Requirebin/converse.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings