registry  /  n8n-mcp  /  2.63.0

n8n-mcp@2.63.0

Integration between n8n workflow automation and Model Context Protocol (MCP)

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 213 file(s), 2.11 MB of source, external domains: api-staging.n8n.io, api.example.com, api.github.com, api.n8n.io, api.npmjs.org, docs.google.com, example.com, github.com, n8n-mcp.com, n8n.io, registry.npmjs.org, www.n8n-mcp.com, ydyufsohxdfpopqbubwk.supabase.co, your-api.com, your-n8n-instance.com, your-n8n.com

Source & flagged code

7 flagged · loading source
dist/telemetry/telemetry-types.jsView file
18patternName = supabase_service_key severity = critical line = 18 matchedText = ANON_KEY...kCk'
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/telemetry/telemetry-types.jsView on unpkg · L18
18patternName = supabase_service_key severity = critical line = 18 matchedText = ANON_KEY...kCk'
Critical
Secret Pattern

Supabase service role key (JWT) in dist/telemetry/telemetry-types.js

dist/telemetry/telemetry-types.jsView on unpkg · L18
dist/services/node-specific-validators.jsView file
1515const dangerousPatterns = [ L1516: { pattern: /(?<![.\w$])eval\s*\(/, message: 'Avoid eval() - it\'s a security risk' }, L1517: { pattern: /(?<![.\w$])Function\s*\(/, message: 'Avoid Function constructor - use regular functions' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/services/node-specific-validators.jsView on unpkg · L1515
dist/mcp-engine.jsView file
3exports.N8NMCPEngine = void 0; L4: const http_server_single_session_1 = require("./http-server-single-session"); L5: const logger_1 = require("./utils/logger");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/mcp-engine.jsView on unpkg · L3
dist/utils/ssrf-protection.jsView file
7const url_1 = require("url"); L8: const promises_1 = require("dns/promises"); L9: const net_1 = require("net"); ... L28: ]); L29: const PRIVATE_IP_RANGES = [ L30: /^10\./, ... L106: const url = new url_1.URL(urlString); L107: const mode = (process.env.WEBHOOK_SECURITY_MODE || 'strict'); L108: if (!['http:', 'https:'].includes(url.protocol)) {
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/utils/ssrf-protection.jsView on unpkg · L7
dist/scripts/rebuild-optimized.jsView file
matchType = previous_version_dangerous_delta matchedPackage = n8n-mcp@2.62.0 matchedIdentity = npm:bjhuLW1jcA:2.62.0 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/scripts/rebuild-optimized.jsView on unpkg
dist/telemetry/telemetry-types.d.tsView file
75patternName = supabase_service_key severity = critical line = 75 matchedText = readonly...Ck";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/telemetry/telemetry-types.d.ts

dist/telemetry/telemetry-types.d.tsView on unpkg · L75

Findings

3 Critical2 High4 Medium4 Low
CriticalCritical Secretdist/telemetry/telemetry-types.js
CriticalSecret Patterndist/telemetry/telemetry-types.js
CriticalSecret Patterndist/telemetry/telemetry-types.d.ts
HighCloud Metadata Accessdist/utils/ssrf-protection.js
HighPrevious Version Dangerous Deltadist/scripts/rebuild-optimized.js
MediumDynamic Requiredist/mcp-engine.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvaldist/services/node-specific-validators.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings