registry  /  ue-mcp  /  1.1.8

ue-mcp@1.1.8

⚠ Under review

Unreal Engine MCP server - 23 tools, 631+ actions for AI-driven editor control

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 86 file(s), 652 KB of source, external domains: api.github.com, cli.github.com, github.com, registry.npmjs.org, ue-mcp.com

Source & flagged code

7 flagged · loading source
dist/editor-control.jsView file
2import * as path from "node:path"; L3: import { spawn, execSync } from "child_process"; L4: import * as net from "net";
High
Child Process

Package source references child process execution.

dist/editor-control.jsView on unpkg · L2
254const fullCommand = `cmd /c "${quotedCommand} ${buildArgs.join(" ")}"`; L255: proc = spawn(fullCommand, [], { shell: true, stdio: "pipe" }); L256: }
High
Shell

Package source references shell execution.

dist/editor-control.jsView on unpkg · L254
2import * as path from "node:path"; L3: import { spawn, execSync } from "child_process"; L4: import * as net from "net"; L5: import { findEngineInstall } from "./deployer.js"; ... L10: function findUEBuildTool() { L11: const envPath = process.env.UE_BUILD_TOOL_PATH; L12: if (envPath)
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/editor-control.jsView on unpkg · L2
dist/update.jsView file
74console.log(""); L75: const cmd = isGlobalInstall() ? `npm install -g ue-mcp@${latest}` : `npm install ue-mcp@${latest}`; L76: try { L77: execSync(cmd, { stdio: "inherit" }); L78: console.log("");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/update.jsView on unpkg · L74
17function getInstalledVersion() { L18: const require = createRequire(import.meta.url); L19: return require("../package.json").version;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/update.jsView on unpkg · L17
dist/resolve.jsView file
7*/ L8: import { execSync, spawn } from "node:child_process"; L9: import * as fs from "node:fs"; ... L41: const args = process.argv.slice(3); L42: const ciMode = args.includes("--ci") || !!process.env.CI; L43: const issueArg = args.find((a) => !a.startsWith("-")); ... L54: if (!hasCommand("gh")) L55: fail("gh CLI is required. Install: https://cli.github.com"); L56: if (!hasCommand("claude")) ... L90: const raw = run(`gh issue view ${issueNum} --repo db-lyon/ue-mcp --json title,body,labels`); L91: issue = JSON.parse(raw); L92: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/resolve.jsView on unpkg · L7
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ue-mcp@1.0.86 matchedIdentity = npm:dWUtbWNw:1.0.86 similarity = 0.923 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 Critical5 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/editor-control.js
HighShelldist/editor-control.js
HighSame File Env Network Executiondist/editor-control.js
HighSandbox Evasion Gated Capabilitydist/resolve.js
HighRuntime Package Installdist/update.js
MediumDynamic Requiredist/update.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings