registry  /  momen-mcp  /  2.1.4

momen-mcp@2.1.4

⚠ Under review

MCP server for Momen.app

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 2.58 MB of source, external domains: aboutreact.com, altairgraphql.dev, api.example.com, api.external.com, app-logger-canary.momen.app, app-logger.momen.app, auth-canary.momen.app, auth.momen.app, backend-canary.momen.app, backend.momen.app, cli.im, commonmark.org, console.amap.com, console.cloud.google.com, console.twilio.com, day.js.org, demo.airwallex.com, dev.to, developer.mozilla.org, developers.google.com, docs.momen.app, docs.stripe.com, editor.momen.app, en.wikipedia.org, example.com, forum.momen.app, github.com, graphql.com, graphql.org, help.example.com, json-schema.org, lottiefiles.com, momen.app, npms.io, partner.example.com, raw.githubusercontent.com, react.dev, reactnative.dev, registry.npmmirror.com, stripe.com, villa.momen.app, webpack.js.org, www.airwallex.com, www.example.com, www.freeformatter.com, www.linkedin.com, www.momen.app, www.postman.com, www.twilio.com, www.youtube.com
Oversized source lightweight scan
dist/ztype-HGQFDZPO.js7.38 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified

Source & flagged code

8 flagged · loading source
dist/chunk-ABPE7CZQ.jsView file
5`+n+"\u2190 "+t(n+" ")),i&&(s+=` L6: `+n+"\u2192 "+i(n+" ")),s};Re.printBinary=Pn});var Mi=a(Dt=>{"use strict";d();Object.defineProperty(Dt,"__esModule",{value:!0});var kn=(k(),E(P));kn.__exportStar(Ve(),Dt)});var Ri... L7: `+r)])}`,t,s=>this.clock.toString(s),i?t:null,i?s=>this.ext.toString(s):null])}};se.Model=q;q.sid=lr.randomSessionId;q.withLogicalClock=n=>q.create(void 0,n);q.withServerClock=(n=1...
High
Child Process

Package source references child process execution.

dist/chunk-ABPE7CZQ.jsView on unpkg · L5
dist/server.jsView file
347Expecting one of '${n.join("', '")}'`);return this._lifeCycleHooks[e]?this._lifeCycleHooks[e].push(r):this._lifeCycleHooks[e]=[r],this}exitOverride(e){return e?this._exitCallback=e... L348: - already used by option '${r.flags}'`)}this._initOptionGroup(e),this.options.push(e)}_registerCommand(e){let r=i=>[i.name()].concat(i.aliases()),n=r(e).find(i=>this._findCommand(... L349: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L357: Expecting one of '${n.join("', '")}'`);let i=`${e}Help`;return this.on(i,o=>{let s;typeof r=="function"?s=r({error:o.error,command:o.command}):s=r,s&&o.write(`${s} L358: `)}),this}_outputHelpIfRequested(e){let r=this._getHelpOption();r&&e.find(i=>r.is(i))&&(this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)"))}};function Mx(t){r... L359: `)}catch{vL=!0}}function ri(t,e,...r){if(sl[t]<U8())return;let n=`[${Xe}] ${e} ${r.length>0?JSON.stringify(r):""}`;if(Q8(t,n),OE)try{OE.server.sendLoggingMessage({level:t,data:n})....
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server.jsView on unpkg · L347
321`?yield*this.pushCount(1):e==="\r"&&this.charAt(1)===` L322: `?yield*this.pushCount(2):0}*pushSpaces(e){let r=this.pos-1,n;do n=this.buffer[++r];while(n===" "||e&&n===" ");let i=r-this.pos;return i>0&&(yield this.buffer.substr(this.pos,i),th... L323: `)+1;for(;r!==0;)this.onNewLine(this.offset+r),r=this.source.indexOf(` ... L329: || (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,ge._)`+${i}`);return;case"boolean":n.elseIf((0,ge._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L330: || ${s} === "boolean" || ${i} === null`).assign(a,(0,ge._)`[${i}]`)}}}function bAe({gen:t,parentData:e,parentDataProperty:r},n){t.if((0,ge._)`${e} !== undefined`,()=>t.assign((0,ge... L331: missingProperty: ${n}, L332: depsCount: ${e}, L333: deps: ${r}}`};var eRe={keyword:"dependencies",type:"object",schemaType:"object",error:wi.error,code(t){let[e,r]=tRe(t);p4(t,e),f4(t,r)}};function tRe({schema:t}){let e={},r={};for(... L334: `)}displayWidth(e){return hJ(e).length}styleTitle(e){return e}styleUsage(e){return e.split(" ").map(r=>r==="[options]"?this.styleOptionText(r):r==="[command]"?this.styleSubcommandT...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/server.jsView on unpkg · L321
2Cross-file remote execution chain: dist/server.js spawns dist/index.cjs-L7W4N4U4.js; helper contains network access plus dynamic code execution. L2: const require = __nodeCreateRequire(import.meta.url); L3: import{a as K,c as E,d as Cv,e as Dt,g as d,h as g}from"./chunk-XK36JTKO.js";var qa=E((Lv,qx)=>{d();var Pf=K("buffer"),ei=Pf.Buffer;function $x(t,e){for(var r in t)e[r]=t[r]}ei.fro... L4: Supported algorithms are: L5: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,Ju="secret must be a string or buffer",Fa="key must be a str... L6: `),l=n.split(/\r\n|[\n\r]/g),p=l[i];if(p.length>120){for(var f=Math.floor(c/80),h=c%80,m=[],y=0;y<p.length;y+=80)m.push(p.slice(y,y+80));return u+AL([["".concat(s),m[0]]].concat(m.... ... L16: L17: https://yarnpkg.com/en/docs/selective-version-resolutions L18: ... L173: `+r);var n=r[r.length-1],i=n==='"'&&r.slice(-4)!=='\\"""';return(i||n==="\\")&&(r+=` L174: `),'"""'+r+'"""'}});var dF=E(Po=>{"use strict";d();Object.defineProperty(Po,"__esModule",{value:!0});Po.findBreakingChanges=jue;Po.findDangerousChanges=$ue;Po.DangerousChangeType=P... L175: `);let n;for(;(n=Ele.exec(r))!=n…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/server.jsView on unpkg · L2
329|| (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,ge._)`+${i}`);return;case"boolean":n.elseIf((0,ge._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L330: || ${s} === "boolean" || ${i} === null`).assign(a,(0,ge._)`[${i}]`)}}}function bAe({gen:t,parentData:e,parentDataProperty:r},n){t.if((0,ge._)`${e} !== undefined`,()=>t.assign((0,ge... L331: missingProperty: ${n},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server.jsView on unpkg · L329
dist/index.cjs-L7W4N4U4.jsView file
matchType = previous_version_dangerous_delta matchedPackage = momen-mcp@2.0.19 matchedIdentity = npm:bW9tZW4tbWNw:2.0.19 similarity = 0.778 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.cjs-L7W4N4U4.jsView on unpkg
2const require = __nodeCreateRequire(import.meta.url); L3: import{a as AS}from"./chunk-ABPE7CZQ.js";import{l as ES}from"./chunk-7T43OQBY.js";import{b as a,c as QA,d as rg,f as tg,g as e}from"./chunk-XK36JTKO.js";var eg=QA((hd,Ed)=>{e();(fu... L4: /* [wrapped with `+t+`] */ L5: `)}var iM,Ng,Lg=a(()=>{e();iM=/\{(?:\n\/\* \[wrapped with .+\] \*\/)?\n?/;Ng=aM});function nM(r){return function(){return r}}var Oe,Ai=a(()=>{e();Oe=nM});var uM,wo,Gd=a(()=>{e();Ee... L6: `:"";r.replace(h,function(L,G,k,Hr,Sr,gr){return k||(k=Hr),x+=r.slice(d,gr).replace(ZY,Db),G&&(s=!0,x+=`' + ... L21: `)+x+`return __p L22: }`;var D=Qo(function(){return Function(u,O+"return "+x).apply(void 0,m)});if(D.source=x,Ge(D))throw D;return D}var YY,qY,VY,KY,XY,Fb,zY,cl,ZY,JY,Hb,xl,UE=a(()=>{e();ie();Ga();Xa();...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.cjs-L7W4N4U4.jsView on unpkg · L2
dist/ztype-HGQFDZPO.jsView file
path = dist/ztype-HGQFDZPO.js kind = oversized_source_file sizeBytes = 7739205 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/ztype-HGQFDZPO.jsView on unpkg

Findings

1 Critical5 High3 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/index.cjs-L7W4N4U4.js
HighChild Processdist/chunk-ABPE7CZQ.js
HighSame File Env Network Executiondist/server.js
HighCommand Output Exfiltrationdist/server.js
HighCross File Remote Execution Contextdist/server.js
HighOversized Source Filedist/ztype-HGQFDZPO.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/server.js
LowWeak Cryptodist/index.cjs-L7W4N4U4.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings