registry  /  momen-mcp  /  2.0.21

momen-mcp@2.0.21

⚠ Under review

MCP server for Momen.app

Static Scan Results

scanned 11d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 2.41 MB of source, external domains: aboutreact.com, altairgraphql.dev, api.example.com, app-logger-canary.momen.app, app-logger.momen.app, auth-canary.momen.app, auth.momen.app, backend-canary.momen.app, backend.momen.app, commonmark.org, console.cloud.google.com, console.twilio.com, day.js.org, demo.airwallex.com, dev.to, developer.mozilla.org, developers.google.com, docs.functorz.com, docs.momen.app, docs.stripe.com, editor.momen.app, en.wikipedia.org, example.com, forum.momen.app, github.com, graphql.com, graphql.org, json-schema.org, lottiefiles.com, momen.app, nextra.site, npm.functorz.work, npms.io, oss.cyzu.cn, raw.githubusercontent.com, react.dev, reactnative.dev, registry.npmmirror.com, stripe.com, villa.momen.app, webpack.docschina.org, www.airwallex.com, www.freeformatter.com, www.linkedin.com, www.mapbox.com, www.npmjs.com, www.postman.com, www.ruf.rice.edu, www.twilio.com, www.youtube.com
Oversized source lightweight scan
dist/ztype-CY3JSL42.js7.00 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified

Source & flagged code

8 flagged · loading source
dist/chunk-XK2SG3QC.jsView file
2const require = __nodeCreateRequire(import.meta.url); L3: import{b as Xr,c as b,d as Qr,f as T,g as h}from"./chunk-ZSKEUSDJ.js";var A={};Qr(A,{__addDisposableResource:()=>ir,__assign:()=>Z,__asyncDelegator:()=>ze,__asyncGenerator:()=>Ye,_... L4: ${t}${r===e?"\u2514\u2500":"\u251C\u2500"} ${n.sid}.${n.time}`,r++}),`clock ${this.sid}.${this.time}${s}`}};_.ClockVector=Et;var Mt=class i extends G{constructor(){super(...argumen...
High
Child Process

Package source references child process execution.

dist/chunk-XK2SG3QC.jsView on unpkg · L2
dist/server.jsView file
347Expecting one of '${n.join("', '")}'`);return this._lifeCycleHooks[e]?this._lifeCycleHooks[e].push(r):this._lifeCycleHooks[e]=[r],this}exitOverride(e){return e?this._exitCallback=e... L348: - already used by option '${r.flags}'`)}this._initOptionGroup(e),this.options.push(e)}_registerCommand(e){let r=i=>[i.name()].concat(i.aliases()),n=r(e).find(i=>this._findCommand(... L349: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L357: Expecting one of '${n.join("', '")}'`);let i=`${e}Help`;return this.on(i,s=>{let o;typeof r=="function"?o=r({error:s.error,command:s.command}):o=r,o&&s.write(`${o} L358: `)}),this}_outputHelpIfRequested(e){let r=this._getHelpOption();r&&e.find(i=>r.is(i))&&(this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)"))}};function zR(t){r... L359: `)}catch{wL=!0}}function ni(t,e,...r){if(ol[t]<J8())return;let n=`[${lt}] ${e} ${r.length>0?JSON.stringify(r):""}`;if(o7(t,n),$E)try{$E.server.sendLoggingMessage({level:t,data:n})....
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server.jsView on unpkg · L347
321`?yield*this.pushCount(1):e==="\r"&&this.charAt(1)===` L322: `?yield*this.pushCount(2):0}*pushSpaces(e){let r=this.pos-1,n;do n=this.buffer[++r];while(n===" "||e&&n===" ");let i=r-this.pos;return i>0&&(yield this.buffer.substr(this.pos,i),th... L323: `)+1;for(;r!==0;)this.onNewLine(this.offset+r),r=this.source.indexOf(` ... L329: || (${o} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,ge._)`+${i}`);return;case"boolean":n.elseIf((0,ge._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L330: || ${o} === "boolean" || ${i} === null`).assign(a,(0,ge._)`[${i}]`)}}}function A0e({gen:t,parentData:e,parentDataProperty:r},n){t.if((0,ge._)`${e} !== undefined`,()=>t.assign((0,ge... L331: missingProperty: ${n}, L332: depsCount: ${e}, L333: deps: ${r}}`};var oxe={keyword:"dependencies",type:"object",schemaType:"object",error:wi.error,code(t){let[e,r]=axe(t);m4(t,e),g4(t,r)}};function axe({schema:t}){let e={},r={};for(... L334: `)}displayWidth(e){return IJ(e).length}styleTitle(e){return e}styleUsage(e){return e.split(" ").map(r=>r==="[options]"?this.styleOptionText(r):r==="[command]"?this.styleSubcommandT...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/server.jsView on unpkg · L321
2Cross-file remote execution chain: dist/server.js spawns dist/index.cjs-ZJEKTFTT.js; helper contains network access plus dynamic code execution. L2: const require = __nodeCreateRequire(import.meta.url); L3: import{a as K,c as v,d as Gv,e as Ct,g as p,h as g}from"./chunk-ZSKEUSDJ.js";var Fa=v((Bv,ZR)=>{p();var Nf=K("buffer"),ti=Nf.Buffer;function BR(t,e){for(var r in t)e[r]=t[r]}ti.fro... L4: Supported algorithms are: L5: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,Ju="secret must be a string or buffer",Ga="key must be a str... L6: `),l=n.split(/\r\n|[\n\r]/g),d=l[i];if(d.length>120){for(var f=Math.floor(c/80),h=c%80,m=[],y=0;y<d.length;y+=80)m.push(d.slice(y,y+80));return u+kL([["".concat(o),m[0]]].concat(m.... ... L16: L17: https://yarnpkg.com/en/docs/selective-version-resolutions L18: ... L173: `+r);var n=r[r.length-1],i=n==='"'&&r.slice(-4)!=='\\"""';return(i||n==="\\")&&(r+=` L174: `),'"""'+r+'"""'}});var _1=v(xs=>{"use strict";p();Object.defineProperty(xs,"__esModule",{value:!0});xs.findBreakingChanges=Kue;xs.findDangerousChanges=Hue;xs.DangerousChangeType=x... L175: `);let n;for(;(n=xle.exec(r))!=n…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/server.jsView on unpkg · L2
329|| (${o} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,ge._)`+${i}`);return;case"boolean":n.elseIf((0,ge._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L330: || ${o} === "boolean" || ${i} === null`).assign(a,(0,ge._)`[${i}]`)}}}function A0e({gen:t,parentData:e,parentDataProperty:r},n){t.if((0,ge._)`${e} !== undefined`,()=>t.assign((0,ge... L331: missingProperty: ${n},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server.jsView on unpkg · L329
dist/index.cjs-ZJEKTFTT.jsView file
matchType = previous_version_dangerous_delta matchedPackage = momen-mcp@2.0.19 matchedIdentity = npm:bW9tZW4tbWNw:2.0.19 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.cjs-ZJEKTFTT.jsView on unpkg
2const require = __nodeCreateRequire(import.meta.url); L3: import{a as AS}from"./chunk-C6XXXYQ6.js";import{l as ES}from"./chunk-XK2SG3QC.js";import{b as a,c as QA,d as rg,f as tg,g as e}from"./chunk-ZSKEUSDJ.js";var eg=QA((hd,Ed)=>{e();(fu... L4: /* [wrapped with `+t+`] */ L5: `)}var iM,Ng,Lg=a(()=>{e();iM=/\{(?:\n\/\* \[wrapped with .+\] \*\/)?\n?/;Ng=aM});function nM(r){return function(){return r}}var Oe,Ai=a(()=>{e();Oe=nM});var uM,wo,Gd=a(()=>{e();Ee... L6: `:"";r.replace(h,function(L,G,k,Hr,Sr,gr){return k||(k=Hr),x+=r.slice(d,gr).replace(ZY,Db),G&&(s=!0,x+=`' + ... L21: `)+x+`return __p L22: }`;var D=Qo(function(){return Function(u,O+"return "+x).apply(void 0,m)});if(D.source=x,Ge(D))throw D;return D}var YY,qY,VY,KY,XY,Fb,zY,cl,ZY,JY,Hb,xl,UE=a(()=>{e();ie();Ga();Xa();...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.cjs-ZJEKTFTT.jsView on unpkg · L2
dist/ztype-CY3JSL42.jsView file
path = dist/ztype-CY3JSL42.js kind = oversized_source_file sizeBytes = 7337946 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/ztype-CY3JSL42.jsView on unpkg

Findings

1 Critical5 High3 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/index.cjs-ZJEKTFTT.js
HighChild Processdist/chunk-XK2SG3QC.js
HighSame File Env Network Executiondist/server.js
HighCommand Output Exfiltrationdist/server.js
HighCross File Remote Execution Contextdist/server.js
HighOversized Source Filedist/ztype-CY3JSL42.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/server.js
LowWeak Cryptodist/index.cjs-ZJEKTFTT.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings