registry  /  momen-mcp  /  2.0.20

momen-mcp@2.0.20

⚠ Under review

MCP server for Momen.app

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 2.28 MB of source, external domains: aboutreact.com, altairgraphql.dev, api.example.com, app-logger-canary.momen.app, app-logger.momen.app, auth-canary.momen.app, auth.momen.app, backend-canary.momen.app, backend.momen.app, commonmark.org, console.cloud.google.com, console.twilio.com, day.js.org, demo.airwallex.com, dev.to, developer.mozilla.org, developers.google.com, docs.functorz.com, docs.momen.app, docs.stripe.com, editor.momen.app, en.wikipedia.org, example.com, forum.momen.app, github.com, graphql.com, graphql.org, json-schema.org, lottiefiles.com, momen.app, nextra.site, npm.functorz.work, npms.io, oss.cyzu.cn, raw.githubusercontent.com, react.dev, reactnative.dev, registry.npmmirror.com, stripe.com, villa.momen.app, webpack.docschina.org, www.airwallex.com, www.freeformatter.com, www.linkedin.com, www.mapbox.com, www.npmjs.com, www.postman.com, www.ruf.rice.edu, www.twilio.com, www.youtube.com
Oversized source lightweight scan
dist/ztype-XFHMGKZT.js7.00 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified

Source & flagged code

8 flagged · loading source
dist/chunk-ZPFRIOCJ.jsView file
5`+n+"\u2190 "+t(n+" ")),i&&(s+=` L6: `+n+"\u2192 "+i(n+" ")),s};Re.printBinary=Pn});var Mi=a(Dt=>{"use strict";d();Object.defineProperty(Dt,"__esModule",{value:!0});var kn=(k(),E(P));kn.__exportStar(Ve(),Dt)});var Ri... L7: `+r)])}`,t,s=>this.clock.toString(s),i?t:null,i?s=>this.ext.toString(s):null])}};se.Model=q;q.sid=lr.randomSessionId;q.withLogicalClock=n=>q.create(void 0,n);q.withServerClock=(n=1...
High
Child Process

Package source references child process execution.

dist/chunk-ZPFRIOCJ.jsView on unpkg · L5
dist/server.jsView file
181\r L182: `+r)),e.removeListener("error",Fb),e.destroy()}function roe(e){return e.trim()}});var vM=v((ZRe,yM)=>{"use strict";p();var wl=Mb();wl.createWebSocketStream=dM();wl.Server=_M();wl.R... L183: `).join(`\r ... L191: || (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,me._)`+${i}`);return;case"boolean":n.elseIf((0,me._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L192: || ${s} === "boolean" || ${i} === null`).assign(a,(0,me._)`[${i}]`)}}}function Zme({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,me._)`${t} !== undefined`,()=>e.assign((0,me... L193: missingProperty: ${n},
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server.jsView on unpkg · L181
181\r L182: `+r)),e.removeListener("error",Fb),e.destroy()}function roe(e){return e.trim()}});var vM=v((ZRe,yM)=>{"use strict";p();var wl=Mb();wl.createWebSocketStream=dM();wl.Server=_M();wl.R... L183: `).join(`\r ... L191: || (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,me._)`+${i}`);return;case"boolean":n.elseIf((0,me._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L192: || ${s} === "boolean" || ${i} === null`).assign(a,(0,me._)`[${i}]`)}}}function Zme({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,me._)`${t} !== undefined`,()=>e.assign((0,me... L193: missingProperty: ${n}, L194: depsCount: ${t}, L195: deps: ${r}}`};var Oye={keyword:"dependencies",type:"object",schemaType:"object",error:di.error,code(e){let[t,r]=wye(e);XV(e,t),eB(e,r)}};function wye({schema:e}){let t={},r={};for(... L196: `)}displayWidth(t){return cK(t).length}styleTitle(t){return t}styleUsage(t){return t.split(" ").map(r=>r==="[options]"?this.styleOptionText(r):r==="[command]"?this.styleSubcommandT...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/server.jsView on unpkg · L181
2Cross-file remote execution chain: dist/server.js spawns dist/index.cjs-2VQJNN76.js; helper contains network access plus dynamic code execution. L2: const require = __nodeCreateRequire(import.meta.url); L3: import{a as Q,c as v,d as E_,e as Dt,g as p,h as g}from"./chunk-F4ENOQHO.js";var aa=v((S_,MA)=>{p();var nd=Q("buffer"),Vn=nd.Buffer;function $A(e,t){for(var r in e)t[r]=e[r]}Vn.fro... L4: Supported algorithms are: L5: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,ou="secret must be a string or buffer",ca="key must be a str... L6: `),l=n.split(/\r\n|[\n\r]/g),d=l[i];if(d.length>120){for(var f=Math.floor(c/80),m=c%80,h=[],_=0;_<d.length;_+=80)h.push(d.slice(_,_+80));return u+wP([["".concat(s),h[0]]].concat(h.... ... L16: L17: https://yarnpkg.com/en/docs/selective-version-resolutions L18: ... L173: `+r);var n=r[r.length-1],i=n==='"'&&r.slice(-4)!=='\\"""';return(i||n==="\\")&&(r+=` L174: `),'"""'+r+'"""'}});var lj=v(mo=>{"use strict";p();Object.defineProperty(mo,"__esModule",{value:!0});mo.findBreakingChanges=Rre;mo.findDangerousChanges=Pre;mo.DangerousChangeType=m... L175: `);let n;for(;(n=mne.exec(r))!=n…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/server.jsView on unpkg · L2
191|| (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,me._)`+${i}`);return;case"boolean":n.elseIf((0,me._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L192: || ${s} === "boolean" || ${i} === null`).assign(a,(0,me._)`[${i}]`)}}}function Zme({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,me._)`${t} !== undefined`,()=>e.assign((0,me... L193: missingProperty: ${n},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server.jsView on unpkg · L191
dist/index.cjs-2VQJNN76.jsView file
matchType = previous_version_dangerous_delta matchedPackage = momen-mcp@2.0.19 matchedIdentity = npm:bW9tZW4tbWNw:2.0.19 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.cjs-2VQJNN76.jsView on unpkg
2const require = __nodeCreateRequire(import.meta.url); L3: import{a as ES}from"./chunk-ZPFRIOCJ.js";import{l as hS}from"./chunk-RHLUSB54.js";import{b as a,c as QA,d as rg,f as tg,g as e}from"./chunk-F4ENOQHO.js";var eg=QA((hd,Ed)=>{e();(fu... L4: /* [wrapped with `+t+`] */ L5: `)}var fM,Ng,Lg=a(()=>{e();fM=/\{(?:\n\/\* \[wrapped with .+\] \*\/)?\n?/;Ng=iM});function aM(r){return function(){return r}}var Oe,Ai=a(()=>{e();Oe=aM});var nM,wo,Gd=a(()=>{e();Ee... L6: `:"";r.replace(h,function(L,G,k,Hr,Sr,gr){return k||(k=Hr),x+=r.slice(d,gr).replace(zY,Db),G&&(s=!0,x+=`' + ... L21: `)+x+`return __p L22: }`;var D=Qo(function(){return Function(u,O+"return "+x).apply(void 0,m)});if(D.source=x,Ge(D))throw D;return D}var jY,YY,qY,VY,KY,Fb,XY,cl,zY,ZY,Hb,xl,UE=a(()=>{e();ie();Ga();Xa();...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.cjs-2VQJNN76.jsView on unpkg · L2
dist/ztype-XFHMGKZT.jsView file
path = dist/ztype-XFHMGKZT.js kind = oversized_source_file sizeBytes = 7336407 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/ztype-XFHMGKZT.jsView on unpkg

Findings

1 Critical5 High3 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/index.cjs-2VQJNN76.js
HighChild Processdist/chunk-ZPFRIOCJ.js
HighSame File Env Network Executiondist/server.js
HighCommand Output Exfiltrationdist/server.js
HighCross File Remote Execution Contextdist/server.js
HighOversized Source Filedist/ztype-XFHMGKZT.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/server.js
LowWeak Cryptodist/index.cjs-2VQJNN76.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings