registry  /  mcp-scraper  /  0.3.40

mcp-scraper@0.3.40

⚠ Under review

MCP server for MCP Scraper web intelligence tools

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
NoLicense
scanned 25 file(s), 4.11 MB of source, external domains: adstransparency.google.com, anthropic.com, api.deepinfra.com, api64.ipify.org, blog.modelcontextprotocol.io, chatgpt.com, chatgptguide.ai, claude.ai, example.com, hyros-attribution-crm.vercel.app, instagram.com, ipapi.co, ipwho.is, mcp-memory-omega.vercel.app, mcpscraper.dev, medium.com, memory.mcpscraper.dev, modelcontextprotocol.io, openrouter.ai, registry.npmjs.org, schema.org, steenshoney.com, suprmind.ai, techcrunch.com, thorbit.ai, www.facebook.com, www.google.com, www.instagram.com, www.mcpscraper.dev, www.xmlvalidation.com, www.youtube.com, www2.census.gov, yourdomain.com, youtu.be, youtube.com

Source & flagged code

3 flagged · loading source
dist/server-HB7WJO3N.jsView file
9883contains invisible/control Unicode U+200B (zero width space) const bodyText = rawBodyText.replace(/<U+200B>/g, " ").replace(/\s+/g, " ");
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/server-HB7WJO3N.jsView on unpkg · L9883
Trigger-reachable chain: manifest.bin -> dist/bin/api-server.js -> dist/server-HB7WJO3N.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server-HB7WJO3N.jsView on unpkg
188ctaHeadingItalic: "real data.", L189: ctaBody: "MCP Scraper gives your AI workflows the web intelligence they need \u2014 SERP data, People Also Ask harvests, page extraction, YouTube transcripts, and more. All via API... L190: sections: [ ... L451: answer: `<strong>ChatGPT makes things up because its RLHF training consistently rewarded fluent, complete-sounding answers \u2014 and human raters often cannot tell in the moment w... L452: source: "https://techcrunch.com/2026/05/05/openai-releases-gpt-5-5-instant-a-new-default-model-for-chatgpt/" L453: } ... L499: question: "what is the hallucination rate of Claude in 2026", L500: answer: `<strong>Claude's hallucination rate in 2026 spans from 0% (Claude Opus 4.1 on AA-Omniscience, via refusal) to 58% (Claude Opus 4.5 on the same benchmark when not configure... L501: source: "https://medium.com/@anyapi.ai/llm-hallucination-index-2026-why-claude-4-6-7b2d13ed9f0c" ... L1634: ], L1635: interactiveHtml: `<div class="si si-codegen"><span class="si-heading">Generate your PAA API request</span><div class="si-codegen-inputs"><label class="si-label">Keyword<input class... L1636: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server-HB7WJO3N.jsView on unpkg · L188

Findings

2 Critical3 Medium7 Low
CriticalTrojan Source Unicodedist/server-HB7WJO3N.js
CriticalTrigger Reachable Dangerous Capabilitydist/server-HB7WJO3N.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server-HB7WJO3N.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License