registry  /  fractascan-mcp  /  0.1.3

fractascan-mcp@0.1.3

Model Context Protocol server exposing Fracta scan tools (passive_scan, scan_repo, …)

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
WildcardDependency
scanned 8 file(s), 661 KB of source, external domains: api.anthropic.com, app.seu-dominio.com, cve.mitre.org, cwe.mitre.org, datatracker.ietf.org, docs.anthropic.com, docs.expo.dev, docs.nestjs.com, docs.stripe.com, evil.com, exemplo.com.br, fracta.pro, github.com, meuapp.com.br, owasp.org, platform.claude.com, supabase.com, www.gov.br, www.prisma.io

Source & flagged code

5 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = fractascan-mcp@0.1.1 matchedIdentity = npm:ZnJhY3Rhc2Nhbi1tY3A:0.1.1 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
1196patternName = generic_password severity = medium line = 1196 matchedText = const bo..." };
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L1196
1935patternName = generic_password severity = medium line = 1935 matchedText = body: { ..." },
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L1935
3893patternName = generic_password severity = medium line = 3893 matchedText = password...99",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L3893
55title: "CSP com 'unsafe-eval' em script-src", L56: detail: "'unsafe-eval' reabre eval()/new Function()/setTimeout(string) \u2014 amplia a superf\xEDcie de XSS.", L57: recommendation: "Remova 'unsafe-eval' e refatore o c\xF3digo que depende de eval/Function din\xE2micos."
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L55

Findings

1 High6 Medium6 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumSecret Patterndist/index.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings