registry  /  dodopayments-mcp  /  2.41.0

dodopayments-mcp@2.41.0

The official MCP Server for the Dodo Payments API

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 3.64 MB of source, external domains: blogs.oracle.com, bun.sh, central.sonatype.com, cursor.com, deno.land, developer.android.com, docs.deno.com, docs.dodopayments.com, docs.oracle.com, docs.pydantic.dev, docs.python.org, endoflife.date, example.com, gemdocs.org, github.com, img.shields.io, javadoc.io, journal.stuffwithstuff.com, jsr.io, kotlinlang.org, live.dodopayments.com, my.test.proxy.example.com, my.test.server.example.com, npmjs.org, pkg.go.dev, pypi.org, semver.org, sorbet.org, square.github.io, www.github.com, www.guardsquare.com, www.npmjs.com, www.nuget.org, www.python-httpx.org

Source & flagged code

3 flagged · loading source
instructions.jsView file
7exports.getInstructions = getInstructions; L8: const promises_1 = __importDefault(require("fs/promises")); L9: const logger_1 = require("./logger.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

instructions.jsView on unpkg · L7
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
Remote tarball dependency specs: jq-web@https://github.com/stainless-api/jq-web/releases/download/v0.8.8/jq-web.tar.gz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg

Findings

1 Critical4 Medium4 Low
CriticalManifest Confusionpackage.json
MediumDynamic Requireinstructions.js
MediumNetwork
MediumEnvironment Vars
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings