registry  /  run-mcp  /  1.7.4

run-mcp@1.7.4

A smart proxy and interactive REPL for Model Context Protocol (MCP) servers

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 361 KB of source, external domains: 127.0.0.1, datatracker.ietf.org, json-schema.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
9import { tmpdir as tmpdir3 } from "os"; L10: import { spawn } from "child_process"; L11:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L9
10021daemonArgs.push(...target); L10022: const daemonProcess = spawn("node", [binPath, ...daemonArgs], { L10023: detached: true, ... L10030: if (session) break; L10031: await new Promise((resolve4) => setTimeout(resolve4, 100)); L10032: attempts++; ... L10034: if (!session) { L10035: process.stderr.write( L10036: `Error: Failed to spawn background daemon for session "${sessionName}".
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L10021
2061const mxcModule = "@microsoft/mxc-sdk"; L2062: await import(mxcModule); L2063: hasMxc = true;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2061
4import { program } from "commander"; L5: import { createConnection, createServer } from "net"; L6: import { existsSync as existsSync6 } from "fs"; ... L9: import { tmpdir as tmpdir3 } from "os"; L10: import { spawn } from "child_process"; L11: ... L19: function getConfigPaths() { L20: const home = homedir(); L21: const cwd = process2.cwd(); ... L73: const content = await readFile(file, "utf8"); L74: const json = JSON.parse(content); L75: let mcpServers;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L4

Findings

3 High4 Medium6 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings