registry  /  mcp-scraper  /  0.3.44

mcp-scraper@0.3.44

⚠ Under review

MCP server for MCP Scraper web intelligence tools

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
NoLicense
scanned 25 file(s), 4.14 MB of source, external domains: adstransparency.google.com, anthropic.com, api.deepinfra.com, api64.ipify.org, blog.modelcontextprotocol.io, chatgpt.com, chatgptguide.ai, claude.ai, example.com, hyros-attribution-crm.vercel.app, instagram.com, ipapi.co, ipwho.is, mcp-memory-omega.vercel.app, mcpscraper.dev, medium.com, memory.mcpscraper.dev, modelcontextprotocol.io, openrouter.ai, registry.npmjs.org, schema.org, steenshoney.com, suprmind.ai, techcrunch.com, thorbit.ai, www.facebook.com, www.google.com, www.instagram.com, www.mcpscraper.dev, www.xmlvalidation.com, www.youtube.com, www2.census.gov, yourdomain.com, youtu.be, youtube.com

Source & flagged code

6 flagged · loading source
dist/chunk-NNEIXK5L.jsView file
17import { dirname, join } from "path"; L18: import { execFile } from "child_process"; L19:
High
Child Process

Package source references child process execution.

dist/chunk-NNEIXK5L.jsView on unpkg · L17
dist/server-AN6QUH6C.jsView file
Trigger-reachable chain: manifest.bin -> dist/bin/api-server.js -> dist/server-AN6QUH6C.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server-AN6QUH6C.jsView on unpkg
190ctaHeadingItalic: "real data.", L191: ctaBody: "MCP Scraper gives your AI workflows the web intelligence they need \u2014 SERP data, People Also Ask harvests, page extraction, YouTube transcripts, and more. All via API... L192: sections: [ ... L453: answer: `<strong>ChatGPT makes things up because its RLHF training consistently rewarded fluent, complete-sounding answers \u2014 and human raters often cannot tell in the moment w... L454: source: "https://techcrunch.com/2026/05/05/openai-releases-gpt-5-5-instant-a-new-default-model-for-chatgpt/" L455: } ... L501: question: "what is the hallucination rate of Claude in 2026", L502: answer: `<strong>Claude's hallucination rate in 2026 spans from 0% (Claude Opus 4.1 on AA-Omniscience, via refusal) to 58% (Claude Opus 4.5 on the same benchmark when not configure... L503: source: "https://medium.com/@anyapi.ai/llm-hallucination-index-2026-why-claude-4-6-7b2d13ed9f0c" ... L1636: ], L1637: interactiveHtml: `<div class="si si-codegen"><span class="si-heading">Generate your PAA API request</span><div class="si-codegen-inputs"><label class="si-label">Keyword<input class... L1638: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server-AN6QUH6C.jsView on unpkg · L190
dist/bin/mcp-scraper-cli.jsView file
429function apiOptions(opts) { L430: const apiKey = String(opts.apiKey ?? process.env.MCP_SCRAPER_API_KEY ?? "").trim(); L431: if (!apiKey) throw new Error("MCP_SCRAPER_API_KEY is required. Pass --api-key or set the environment variable."); L432: return { L433: apiUrl: String(opts.apiUrl ?? process.env.MCP_SCRAPER_API_URL ?? "https://mcpscraper.dev").replace(/\/$/, ""), L434: apiKey ... L440: try { L441: const child = spawn(command, args, { detached: true, stdio: "ignore" }); L442: child.unref();
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/mcp-scraper-cli.jsView on unpkg · L429
17import { Command } from "commander"; L18: import { spawn } from "child_process"; L19: import { mkdir as mkdir2, writeFile } from "fs/promises"; ... L112: "", L113: "Desktop Extension: https://mcpscraper.dev/downloads/mcp-scraper.mcpb", L114: restart ... L129: async function readKeyFile() { L130: const path = process.env.MCP_SCRAPER_KEY_PATH?.trim() || join(homedir(), ".mcp-scraper-key"); L131: try { ... L143: if (!res.ok) return null; L144: const data = await res.json(); L145: return data.version ?? null;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/bin/mcp-scraper-cli.jsView on unpkg · L17
dist/bin/api-server.cjsView file
13640contains invisible/control Unicode U+200B (zero width space) const bodyText = rawBodyText.replace(/<U+200B>/g, " ").replace(/\s+/g, " ");
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/bin/api-server.cjsView on unpkg · L13640

Findings

2 Critical4 High3 Medium7 Low
CriticalTrojan Source Unicodedist/bin/api-server.cjs
CriticalTrigger Reachable Dangerous Capabilitydist/server-AN6QUH6C.js
HighChild Processdist/chunk-NNEIXK5L.js
HighShell
HighSame File Env Network Executiondist/bin/mcp-scraper-cli.js
HighSandbox Evasion Gated Capabilitydist/bin/mcp-scraper-cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server-AN6QUH6C.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License