No confirmed malicious attack surface. The package is an explicitly launched MCP server that stores user-provided Yandex credentials and queries Yandex APIs.
Static reason
One or more suspicious static signals were detected.
Trigger
User launches the bin and invokes MCP authentication or Yandex Webmaster tools.
Impact
Can persist supplied Yandex OAuth credentials in its own config file and access the user's authorized Yandex Webmaster data.
Mechanism
Explicit MCP credential setup and authenticated Yandex API requests.
Rationale
Static inspection shows a package-aligned, explicitly invoked Yandex Webmaster MCP client. Scanner signals reflect normal OAuth credential handling and API access, not exfiltration or stealth execution.
Evidence
package.jsondist/index.jsREADME.md~/.config/seo-tools-mcp/.env
Network endpoints3
oauth.yandex.ru/tokenoauth.yandex.ru/authorizeapi.webmaster.yandex.net/v4