registry  /  sdl-mcp  /  0.11.13

sdl-mcp@0.11.13

Symbol Delta Ledger MCP Server - Cards-first code context for polyglot repositories

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 506 file(s), 5.56 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, github.com, huggingface.co, nodejs.org, opencode.ai

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/scip/decoder-rust.jsView file
10import { logger } from "../util/logger.js"; L11: const require = createRequire(import.meta.url); L12: const __dirname = fileURLToPath(new URL(".", import.meta.url));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/scip/decoder-rust.jsView on unpkg · L10
dist/db/ladybug.jsView file
90/** @internal exported for focused config/env tests. */ L91: export function [redacted](env = process.env, explicitValue) { L92: const candidate = explicitValue ?? Number.parseInt((env[CHECKPOINT_THRESHOLD_ENV] ?? "").trim(), 10); ... L332: try { L333: await exec(conn, "RETURN 1"); L334: return true;
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/db/ladybug.jsView on unpkg · L90

Findings

1 High6 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/scip/decoder-rust.js
MediumUnsafe Vm Contextdist/db/ladybug.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License