No confirmed malicious attack surface is established. The executable is an MCP server that uses user-supplied Yandex credentials for its stated API integration and optionally saves them in its own configuration file.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the bin and invokes an MCP OAuth, credential, or Yandex Webmaster tool.
Impact
Reads SEO data from Yandex and stores supplied OAuth credentials locally when requested.
Mechanism
Authenticated Yandex OAuth and Webmaster API client with package-owned credential storage.
Rationale
Static inspection shows package-aligned OAuth and Yandex Webmaster functionality, not credential exfiltration or stealth execution. Scanner signals arise from legitimate credential handling, fixed API calls, and explicit package-owned configuration persistence.
Evidence
package.jsondist/index.jsREADME.md
Network endpoints3
oauth.yandex.ru/tokenoauth.yandex.ru/authorize?response_type=code&client_id=${clientId}${args.accountapi.webmaster.yandex.net/v4