registry  /  lensmcp  /  1.16.1

lensmcp@1.16.1

LensMCP CLI — install and run the MCP observability server coding agents use to see running apps.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 3.40 MB of source, external domains: a.b.co.uk, crbug.com, cs.chromium.org, docs.google.com, drafts.csswg.org, example.test, fedidcg.github.io, fidoalliance.org, github.com, goo.gle, html.spec.whatwg.org, json-schema.org, lensmcp.local, react.dev, reactflow.dev, source.chromium.org, tools.ietf.org, w3c.github.io, webaudio.github.io, wicg.github.io, www.apache.org, www.chromium.org, www.google.com, www.w3.org

Source & flagged code

7 flagged · loading source
bundled/capture-runner.jsView file
1232import { join } from "path"; L1233: import childProcess from "child_process"; L1234: import { mkdirSync } from "fs";
High
Child Process

Package source references child process execution.

bundled/capture-runner.jsView on unpkg · L1232
1933if (isWindows2) { L1934: const taskkillProc = spawnSync(`taskkill /pid ${this.chromeProcess.pid} /T /F`, { shell: true, encoding: "utf-8" }); L1935: const { stderr } = taskkillProc;
High
Shell

Package source references shell execution.

bundled/capture-runner.jsView on unpkg · L1933
192for (let i = 0; i < namespace.length; i++) { L193: hash = (hash << 5) - hash + namespace.charCodeAt(i); L194: hash |= 0; ... L452: let m; L453: return typeof document !== "undefined" && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance || // Is firebug? http://sta... L454: typeof window !== "undefined" && window.console && (window.console.firebug || window.console.exception && window.console.table) || // Is firefox >= v31? ... L497: if (!r && typeof process !== "undefined" && "env" in process) { L498: r = process.env.DEBUG; L499: } ... L583: } L584: if (process.platform === "win32") { L585: const osRelease = os.release().split(".");
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

bundled/capture-runner.jsView on unpkg · L192
29320name: "allowUnsafeEvalBlockedByCSP", L29321: description: "The Content Security Policy (CSP) for the target might block 'unsafe-eval'\nwhich includes eval(), Function(), setTimeout() and setInterval()\nwhen called with non-ca... L29322: experimental: true,
Low
Eval

Package source references a known benign dynamic code generation pattern.

bundled/capture-runner.jsView on unpkg · L29320
lib/cli.jsView file
1Cross-file remote execution chain: lib/cli.js spawns bundled/bridge.js; helper contains network access plus dynamic code execution. L1: import { spawn, spawnSync } from 'node:child_process'; L2: import { existsSync, mkdirSync, openSync, readFileSync, readdirSync, writeFileSync } from 'node:fs'; ... L33: apps/services under their hosts) AND the per-workspace L34: lens dashboard at https://lensmcp.local/<key>/. \`start\` L35: spawns it detached (pid+log in .lensmcp/); \`stop\` ends it; ... L77: out(HELP); L78: return { exitCode: 0 }; L79: } ... L131: const eventFile = ctx.env?.['LENSMCP_EVENT_FILE'] ?? L132: process.env['LENSMCP_EVENT_FILE'] ?? L133: join(cwd, '.lensmcp', 'events.jsonl'); ... L328: try {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/cli.jsView on unpkg · L1
216if (!nxBin) { L217: err('Could not find the `nx` binary in the workspace. Install Nx first: `yarn add -D nx`.'); L218: return { exitCode: 1 }; ... L220: const fd = openSync(logFile, 'a'); L221: const child = spawn(nxBin, ['run', `${target.project}:${target.target}`], { L222: cwd,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/cli.jsView on unpkg · L216
plugin/scripts/gateway-start.shView file
path = plugin/scripts/gateway-start.sh kind = build_helper sizeBytes = 713 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

plugin/scripts/gateway-start.shView on unpkg

Findings

5 High4 Medium5 Low
HighChild Processbundled/capture-runner.js
HighShellbundled/capture-runner.js
HighObfuscated Payload Loaderbundled/capture-runner.js
HighCross File Remote Execution Contextlib/cli.js
HighRuntime Package Installlib/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperplugin/scripts/gateway-start.sh
MediumStructural Risk Force Deep Review
LowEvalbundled/capture-runner.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings