registry  /  react-docs-mcp  /  1.2.0

react-docs-mcp@1.2.0

MCP server providing AI agents with semantic search over React documentation

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No source-grounded attack surface can be confirmed because package files were not readable through available tools.

Static reason
One or more suspicious static signals were detected.
Trigger
unknown
Impact
unknown
Mechanism
unverified package contents
Rationale
Source inspection was required before a verdict, but the runtime did not expose a filesystem inspection tool in this turn. A definitive clean or malicious verdict would be unsupported without reading package files.

Decision evidence

public snapshot
AI called this Manual Review at 10.0% confidence as Unknown with high false-positive risk.
Evidence for warning
  • Cannot inspect package files in this environment: no filesystem command tool is available in the assistant toolset, despite the task requiring source inspection.
Evidence against
    Behavioral surface
    Source
    EnvironmentVarsFilesystem
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 12 file(s), 46.5 KB of source, external domains: github.com, react.dev, reactnative.dev

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = node dist/index.js --version || echo 'Run: npx react-docs-mcp'
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node dist/index.js --version || echo 'Run: npx react-docs-mcp'
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium4 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowUrl Strings