registry  /  sdl-mcp  /  0.12.1

sdl-mcp@0.12.1

Symbol Delta Ledger MCP Server - Cards-first code context for polyglot repositories

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 509 file(s), 5.67 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, github.com, huggingface.co, nodejs.org, opencode.ai

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/scip/decoder-rust.jsView file
10import { logger } from "../util/logger.js"; L11: const require = createRequire(import.meta.url); L12: const __dirname = fileURLToPath(new URL(".", import.meta.url));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/scip/decoder-rust.jsView on unpkg · L10
dist/db/ladybug.jsView file
90/** @internal exported for focused config/env tests. */ L91: export function [redacted](env = process.env, explicitValue) { L92: const candidate = explicitValue ?? Number.parseInt((env[CHECKPOINT_THRESHOLD_ENV] ?? "").trim(), 10); ... L332: try { L333: await exec(conn, "RETURN 1"); L334: return true;
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/db/ladybug.jsView on unpkg · L90
dist/mcp/tools/runtime.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sdl-mcp@0.11.13 matchedIdentity = npm:c2RsLW1jcA:0.11.13 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/mcp/tools/runtime.jsView on unpkg

Findings

2 High6 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltadist/mcp/tools/runtime.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/scip/decoder-rust.js
MediumUnsafe Vm Contextdist/db/ladybug.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License