registry  /  momen-mcp  /  2.0.17

momen-mcp@2.0.17

MCP server for Momen.app

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 2.26 MB of source, external domains: aboutreact.com, altairgraphql.dev, app-logger-canary.momen.app, app-logger.momen.app, auth-canary.momen.app, auth.momen.app, backend-canary.momen.app, backend.momen.app, commonmark.org, console.cloud.google.com, console.twilio.com, day.js.org, demo.airwallex.com, dev.to, developer.mozilla.org, developers.google.com, docs.functorz.com, docs.momen.app, docs.stripe.com, editor.momen.app, en.wikipedia.org, example.com, forum.momen.app, github.com, graphql.com, graphql.org, json-schema.org, lottiefiles.com, momen.app, nextra.site, npm.functorz.work, npms.io, oss.cyzu.cn, raw.githubusercontent.com, react.dev, reactnative.dev, registry.npmmirror.com, stripe.com, villa.momen.app, webpack.docschina.org, www.airwallex.com, www.freeformatter.com, www.linkedin.com, www.mapbox.com, www.npmjs.com, www.postman.com, www.ruf.rice.edu, www.twilio.com, www.youtube.com, x.com
Oversized source lightweight scan
dist/ztype-MBHFROZE.js7.00 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified

Source & flagged code

7 flagged · loading source
dist/server.jsView file
194depsCount: ${t}, L195: deps: ${r}}`};var i_e={keyword:"dependencies",type:"object",schemaType:"object",error:di.error,code(e){let[t,r]=o_e(e);GV(e,t),VV(e,r)}};function o_e({schema:e}){let t={},r={};for(... L196: `)}displayWidth(t){return UZ(t).length}styleTitle(t){return t}styleUsage(t){return t.split(" ").map(r=>r==="[options]"?this.styleOptionText(r):r==="[command]"?this.styleSubcommandT...
High
Child Process

Package source references child process execution.

dist/server.jsView on unpkg · L194
181\r L182: `+r)),e.removeListener("error",jb),e.destroy()}function Lie(e){return e.trim()}});var fM=v((OPe,dM)=>{"use strict";p();var wl=Cb();wl.createWebSocketStream=sM();wl.Server=pM();wl.R... L183: `).join(`\r ... L191: || (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,he._)`+${i}`);return;case"boolean":n.elseIf((0,he._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L192: || ${s} === "boolean" || ${i} === null`).assign(a,(0,he._)`[${i}]`)}}}function Ihe({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,he._)`${t} !== undefined`,()=>e.assign((0,he... L193: missingProperty: ${n},
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server.jsView on unpkg · L181
181\r L182: `+r)),e.removeListener("error",jb),e.destroy()}function Lie(e){return e.trim()}});var fM=v((OPe,dM)=>{"use strict";p();var wl=Cb();wl.createWebSocketStream=sM();wl.Server=pM();wl.R... L183: `).join(`\r ... L191: || (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,he._)`+${i}`);return;case"boolean":n.elseIf((0,he._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L192: || ${s} === "boolean" || ${i} === null`).assign(a,(0,he._)`[${i}]`)}}}function Ihe({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,he._)`${t} !== undefined`,()=>e.assign((0,he... L193: missingProperty: ${n}, L194: depsCount: ${t}, L195: deps: ${r}}`};var i_e={keyword:"dependencies",type:"object",schemaType:"object",error:di.error,code(e){let[t,r]=o_e(e);GV(e,t),VV(e,r)}};function o_e({schema:e}){let t={},r={};for(... L196: `)}displayWidth(t){return UZ(t).length}styleTitle(t){return t}styleUsage(t){return t.split(" ").map(r=>r==="[options]"?this.styleOptionText(r):r==="[command]"?this.styleSubcommandT...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/server.jsView on unpkg · L181
2Cross-file remote execution chain: dist/server.js spawns dist/index.cjs-LLB5UXJY.js; helper contains network access plus dynamic code execution. L2: const require = __nodeCreateRequire(import.meta.url); L3: import{a as Q,c as v,d as my,e as Dt,g as p,h as g}from"./chunk-KQJNRKMF.js";var aa=v((_y,DA)=>{p();var nd=Q("buffer"),Vn=nd.Buffer;function RA(e,t){for(var r in e)t[r]=e[r]}Vn.fro... L4: Supported algorithms are: L5: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,ou="secret must be a string or buffer",ca="key must be a str... L6: `),l=n.split(/\r\n|[\n\r]/g),d=l[i];if(d.length>120){for(var f=Math.floor(c/80),h=c%80,m=[],y=0;y<d.length;y+=80)m.push(d.slice(y,y+80));return u+ER([["".concat(s),m[0]]].concat(m.... ... L16: L17: https://yarnpkg.com/en/docs/selective-version-resolutions L18: ... L173: `+r);var n=r[r.length-1],i=n==='"'&&r.slice(-4)!=='\\"""';return(i||n==="\\")&&(r+=` L174: `),'"""'+r+'"""'}});var ij=v(ho=>{"use strict";p();Object.defineProperty(ho,"__esModule",{value:!0});ho.findBreakingChanges=ure;ho.findDangerousChanges=lre;ho.DangerousChangeType=h... L175: `);let n;for(;(n=Kre.exec(r))!=n…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/server.jsView on unpkg · L2
191|| (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,he._)`+${i}`);return;case"boolean":n.elseIf((0,he._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L192: || ${s} === "boolean" || ${i} === null`).assign(a,(0,he._)`[${i}]`)}}}function Ihe({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,he._)`${t} !== undefined`,()=>e.assign((0,he... L193: missingProperty: ${n},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server.jsView on unpkg · L191
dist/index.cjs-LLB5UXJY.jsView file
2const require = __nodeCreateRequire(import.meta.url); L3: import{a as ES}from"./chunk-NJNXU5WV.js";import{l as hS}from"./chunk-NONCYU6W.js";import{b as a,c as QA,d as rg,f as tg,g as e}from"./chunk-KQJNRKMF.js";var eg=QA((hd,Ed)=>{e();(fu... L4: /* [wrapped with `+t+`] */ L5: `)}var fM,Ng,Lg=a(()=>{e();fM=/\{(?:\n\/\* \[wrapped with .+\] \*\/)?\n?/;Ng=iM});function aM(r){return function(){return r}}var Oe,Ai=a(()=>{e();Oe=aM});var nM,wo,Gd=a(()=>{e();Ee... L6: `:"";r.replace(h,function(L,G,k,Hr,Sr,gr){return k||(k=Hr),x+=r.slice(d,gr).replace(zY,Db),G&&(s=!0,x+=`' + ... L21: `)+x+`return __p L22: }`;var D=Qo(function(){return Function(u,O+"return "+x).apply(void 0,m)});if(D.source=x,Ge(D))throw D;return D}var jY,YY,qY,VY,KY,Fb,XY,cl,zY,ZY,Hb,xl,UE=a(()=>{e();ie();Ga();Xa();...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.cjs-LLB5UXJY.jsView on unpkg · L2
dist/ztype-MBHFROZE.jsView file
path = dist/ztype-MBHFROZE.js kind = oversized_source_file sizeBytes = 7336407 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/ztype-MBHFROZE.jsView on unpkg

Findings

5 High3 Medium7 Low
HighChild Processdist/server.js
HighSame File Env Network Executiondist/server.js
HighCommand Output Exfiltrationdist/server.js
HighCross File Remote Execution Contextdist/server.js
HighOversized Source Filedist/ztype-MBHFROZE.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/server.js
LowWeak Cryptodist/index.cjs-LLB5UXJY.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings