registry  /  slashvibe-mcp  /  0.5.10

slashvibe-mcp@0.5.10

Social layer for Claude Code - DMs, presence, Matrix multiplayer rooms, and connection between AI-assisted developers

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 241 file(s), 1.86 MB of source, external domains: api.neynar.com, api.pinata.cloud, api.telegram.org, api.twitter.com, basescan.org, bridge.vibe.network, conduit.xyz, discord.com, docs.neynar.com, docs.slashvibe.dev, eth.llamarpc.com, etherscan.io, example.com, explorer-testnet.vibe.network, explorer.vibe.network, fonts.googleapis.com, fonts.gstatic.com, github.com, graph.facebook.com, mainnet.base.org, my-project.vercel.app, neynar.com, opensea.io, rpc-testnet.vibe.network, rpc.vibe.network, sepolia.base.org, sepolia.basescan.org, slashvibe.dev, testnets.opensea.io, twitter.com, vibe.fyi, warpcast.com, www.slashvibe.dev, x.com, your-domain.com, yourapp.vercel.app

Source & flagged code

6 flagged · loading source
tools/_work-context.test.jsView file
83patternName = github_pat severity = critical line = 83 matchedText = const in...90';
Critical
Critical Secret

Package contains a critical-looking secret pattern.

tools/_work-context.test.jsView on unpkg · L83
83patternName = github_pat severity = critical line = 83 matchedText = const in...90';
Critical
Secret Pattern

GitHub personal access token in tools/_work-context.test.js

tools/_work-context.test.jsView on unpkg · L83
twitter.jsView file
39.update(signatureBaseString) L40: .digest('base64'); L41: } ... L80: async function xRequest(method, endpoint, params = {}, body = null) { L81: const baseUrl = 'https://api.twitter.com'; L82: const url = `${baseUrl}${endpoint}`; ... L89: const fetchUrl = method === 'GET' && Object.keys(params).length > 0 L90: ? `${url}?${new URLSearchParams(params)}` L91: : url;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

twitter.jsView on unpkg · L39
tools/subscriptions.jsView file
39const token = config.getToken(); L40: const apiUrl = process.env.VIBE_API_URL || 'https://www.slashvibe.dev'; L41: ... L51: L52: const result = await response.json(); L53: ... L72: `.trim(), L73: data: result L74: };
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

tools/subscriptions.jsView on unpkg · L39
hooks/check-guest-messages.shView file
path = hooks/check-guest-messages.sh kind = build_helper sizeBytes = 7800 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hooks/check-guest-messages.shView on unpkg
tools/_work-context.manual-test.jsView file
77patternName = github_pat severity = critical line = 77 matchedText = { input:...' },
Critical
Secret Pattern

GitHub personal access token in tools/_work-context.manual-test.js

tools/_work-context.manual-test.jsView on unpkg · L77

Findings

3 Critical1 High4 Medium5 Low
CriticalCritical Secrettools/_work-context.test.js
CriticalSecret Patterntools/_work-context.test.js
CriticalSecret Patterntools/_work-context.manual-test.js
HighCredential Exfiltrationtools/subscriptions.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperhooks/check-guest-messages.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptotwitter.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings