registry  /  netsuite-supermcp  /  0.1.8

netsuite-supermcp@0.1.8

A NetSuite MCP server with OAuth, REST/RESTlet tools, client installers, and account permission probes.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 47 file(s), 124 KB of source, external domains: 1234567-sb1.restlets.api.netsuite.com, 1234567-sb1.suitetalk.api.netsuite.com, 127.0.0.1, bun.sh, docs.oracle.com, system.netsuite.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/netsuite-supermcp-install.mjsView file
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process" L3: import { dirname, join } from "node:path"
High
Child Process

Package source references child process execution.

bin/netsuite-supermcp-install.mjsView on unpkg · L1
scripts/smoke.tsView file
1import { spawn } from "node:child_process" L2: import { rm } from "node:fs/promises" ... L6: const SmokeConfigSchema = z.object({ L7: baseUrl: z.string().url().default("http://127.0.0.1:3025"), L8: token: z.string().min(12).default("test-token-12345"), ... L11: const config = SmokeConfigSchema.parse({ L12: baseUrl: process.env["SMOKE_BASE_URL"], L13: token: process.env["MCP_BEARER_TOKEN"],
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/smoke.tsView on unpkg · L1
bin/netsuite-supermcp-setup.mjsView file
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process" L3: import { dirname, join } from "node:path" ... L8: encoding: "utf8", L9: shell: process.platform === "win32", L10: }) ... L12: console.error("NetSuite SuperMCP setup needs Bun.") L13: console.error("Install Bun: https://bun.sh/docs/installation") L14: console.error("Then rerun: netsuite-supermcp setup")
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/netsuite-supermcp-setup.mjsView on unpkg · L1
setup.shView file
path = setup.sh kind = build_helper sizeBytes = 1116 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

setup.shView on unpkg

Findings

5 High5 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/netsuite-supermcp-install.mjs
HighShell
HighSame File Env Network Executionscripts/smoke.ts
HighSandbox Evasion Gated Capabilitybin/netsuite-supermcp-setup.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersetup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings