registry  /  n8n-mcp  /  2.62.0

n8n-mcp@2.62.0

Integration between n8n workflow automation and Model Context Protocol (MCP)

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 212 file(s), 2.10 MB of source, external domains: api-staging.n8n.io, api.example.com, api.github.com, api.n8n.io, api.npmjs.org, docs.google.com, example.com, github.com, n8n-mcp.com, n8n.io, registry.npmjs.org, www.n8n-mcp.com, ydyufsohxdfpopqbubwk.supabase.co, your-api.com, your-n8n-instance.com, your-n8n.com

Source & flagged code

6 flagged · loading source
dist/telemetry/telemetry-types.jsView file
18patternName = supabase_service_key severity = critical line = 18 matchedText = ANON_KEY...kCk'
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/telemetry/telemetry-types.jsView on unpkg · L18
18patternName = supabase_service_key severity = critical line = 18 matchedText = ANON_KEY...kCk'
Critical
Secret Pattern

Supabase service role key (JWT) in dist/telemetry/telemetry-types.js

dist/telemetry/telemetry-types.jsView on unpkg · L18
dist/services/node-specific-validators.jsView file
1435const dangerousPatterns = [ L1436: { pattern: /eval\s*\(/, message: 'Avoid eval() - it\'s a security risk' }, L1437: { pattern: /Function\s*\(/, message: 'Avoid Function constructor - use regular functions' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/services/node-specific-validators.jsView on unpkg · L1435
dist/mcp-engine.jsView file
3exports.N8NMCPEngine = void 0; L4: const http_server_single_session_1 = require("./http-server-single-session"); L5: const logger_1 = require("./utils/logger");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/mcp-engine.jsView on unpkg · L3
dist/utils/ssrf-protection.jsView file
7const url_1 = require("url"); L8: const promises_1 = require("dns/promises"); L9: const net_1 = require("net"); ... L28: ]); L29: const PRIVATE_IP_RANGES = [ L30: /^10\./, ... L106: const url = new url_1.URL(urlString); L107: const mode = (process.env.WEBHOOK_SECURITY_MODE || 'strict'); L108: if (!['http:', 'https:'].includes(url.protocol)) {
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/utils/ssrf-protection.jsView on unpkg · L7
dist/telemetry/telemetry-types.d.tsView file
75patternName = supabase_service_key severity = critical line = 75 matchedText = readonly...Ck";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/telemetry/telemetry-types.d.ts

dist/telemetry/telemetry-types.d.tsView on unpkg · L75

Findings

3 Critical1 High4 Medium4 Low
CriticalCritical Secretdist/telemetry/telemetry-types.js
CriticalSecret Patterndist/telemetry/telemetry-types.js
CriticalSecret Patterndist/telemetry/telemetry-types.d.ts
HighCloud Metadata Accessdist/utils/ssrf-protection.js
MediumDynamic Requiredist/mcp-engine.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvaldist/services/node-specific-validators.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings