Use with caution. Address findings before production.
Scanned 5/5/2026, 1:47:03 PMΒ·Cached resultΒ·Deep ScanΒ·88 rulesΒ·View source βΒ·How we decide β
AIVSS Score
Medium
Severity Breakdown
0
critical
7
high
2
medium
0
low
MCP Server Information
Findings
This package received a C grade with a safety score of 68/100 due to seven high-severity prompt injection vulnerabilities and two medium-severity server configuration issues. The prompt injection risks are the primary concern, as they could allow attackers to manipulate the server's behavior through crafted inputs. You should address these vulnerabilities before deploying this package in production.
AIPer-finding remediation generated by bedrock-claude-haiku-4-5 β 4 of 9 findings. Click any finding to read.
No known CVEs found for this package or its dependencies.
Path traversal in git_add allows staging files outside repository boundaries in mcp-server-git
Unrestricted git_init tool allows repository creation at arbitrary filesystem locations in mcp-server-git
Argument injection in git_diff and git_checkout functions for mcp-server-git allows overwriting local files
Missing path validation when using --repository flag in mcp-server-git
Scan Details
Done
Sign in to save scan history and re-scan automatically on new commits.
Building your own MCP server?
Same rules, same LLM judges, same grade. Private scans stay isolated to your account and never appear in the public registry. Required for code your team hasnβt shipped yet.
9 of 9 findings
9 findings
Tool 'read_file' shadows filesystem reserved tool name without server-specific prefix
Evidence
| 1 | #!/usr/bin/env node |
| 2 | import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 3 | import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; |
| 4 | import { RootsListChangedNotificationSchema, } from "@modelcontextprotocol/sdk/types.js"; |
RemediationAI
The tool 'write_file' uses a generic name that conflicts with MCP's reserved filesystem tool namespace, creating ambiguity and potential routing conflicts. Rename the tool to include a server-specific prefix such as 'myserver_write_file' or 'custom_write_file' in the tool.name property passed to server.tool() registration. This prefix ensures the tool name is globally unique within the MCP ecosystem and prevents shadowing of standard filesystem operations. Verify the fix by checking that the tool name in your MCP manifest or client logs shows the prefixed name and does not conflict with any reserved MCP tool names.
Tool 'search_files' shadows filesystem reserved tool name without server-specific prefix
Evidence
| 1 | #!/usr/bin/env node |
| 2 | import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 3 | import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; |
| 4 | import { RootsListChangedNotificationSchema, } from "@modelcontextprotocol/sdk/types.js"; |
RemediationAI
The tool 'write_file' uses a generic name that conflicts with MCP's reserved filesystem tool namespace, creating ambiguity and potential routing conflicts. Rename the tool to include a server-specific prefix such as 'myserver_write_file' or 'custom_write_file' in the tool.name property passed to server.tool() registration. This prefix ensures the tool name is globally unique within the MCP ecosystem and prevents shadowing of standard filesystem operations. Verify the fix by checking that the tool name in your MCP manifest or client logs shows the prefixed name and does not conflict with any reserved MCP tool names.
Tool 'list_files' shadows filesystem reserved tool name without server-specific prefix
Evidence
| 1 | #!/usr/bin/env node |
| 2 | import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 3 | import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; |
| 4 | import { RootsListChangedNotificationSchema, } from "@modelcontextprotocol/sdk/types.js"; |
RemediationAI
The tool 'write_file' uses a generic name that conflicts with MCP's reserved filesystem tool namespace, creating ambiguity and potential routing conflicts. Rename the tool to include a server-specific prefix such as 'myserver_write_file' or 'custom_write_file' in the tool.name property passed to server.tool() registration. This prefix ensures the tool name is globally unique within the MCP ecosystem and prevents shadowing of standard filesystem operations. Verify the fix by checking that the tool name in your MCP manifest or client logs shows the prefixed name and does not conflict with any reserved MCP tool names.
Tool 'write_file' shadows filesystem reserved tool name without server-specific prefix
Evidence
| 1 | #!/usr/bin/env node |
| 2 | import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 3 | import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; |
| 4 | import { RootsListChangedNotificationSchema, } from "@modelcontextprotocol/sdk/types.js"; |
RemediationAI
The tool 'write_file' uses a generic name that conflicts with MCP's reserved filesystem tool namespace, creating ambiguity and potential routing conflicts. Rename the tool to include a server-specific prefix such as 'myserver_write_file' or 'custom_write_file' in the tool.name property passed to server.tool() registration. This prefix ensures the tool name is globally unique within the MCP ecosystem and prevents shadowing of standard filesystem operations. Verify the fix by checking that the tool name in your MCP manifest or client logs shows the prefixed name and does not conflict with any reserved MCP tool names.
ReadMultipleFiles tool reads multiple arbitrary filesystem files and returns their contents verbatim to the LLM without provenance markers, enabling indirect prompt injection via crafted file contents.
Evidence
| 1 | #!/usr/bin/env node |
| 2 | import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 3 | import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; |
| 4 | import { RootsListChangedNotificationSchema, } from "@modelcontextprotocol/sdk/types.js"; |
| 5 | import fs from "fs/promises"; |
| 6 | import { createReadStream } from "fs"; |
| 7 | import path from "path"; |
| 8 | import { z } from "zod"; |
| 9 | import { minimatch } from "minimatch"; |
| 10 | import { normalizePath, expandHome } from './path-utils.js'; |
| 11 | import { getValidRoo |
RemediationAI
The SearchFiles tool returns matching file contents verbatim to the LLM without delimiters, allowing an attacker to craft malicious file contents that inject prompt instructions into the LLM context. Wrap each matched file's content with clear provenance markers (e.g., `[FILE: path/to/file]\n{content}\n[END FILE]`) in the tool's response before returning to the client. These markers create a clear boundary between file data and LLM instructions, preventing injected content from being interpreted as system prompts. Test by creating files with prompt injection payloads in a searchable location and verify the markers prevent the LLM from executing the injected commands.
ReadTextFile tool reads arbitrary filesystem content authored by third parties and returns it verbatim to the LLM without provenance delimiters, enabling indirect prompt injection via crafted file contents.
Evidence
| 1 | #!/usr/bin/env node |
| 2 | import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 3 | import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; |
| 4 | import { RootsListChangedNotificationSchema, } from "@modelcontextprotocol/sdk/types.js"; |
| 5 | import fs from "fs/promises"; |
| 6 | import { createReadStream } from "fs"; |
| 7 | import path from "path"; |
| 8 | import { z } from "zod"; |
| 9 | import { minimatch } from "minimatch"; |
| 10 | import { normalizePath, expandHome } from './path-utils.js'; |
| 11 | import { getValidRoo |
RemediationAI
The SearchFiles tool returns matching file contents verbatim to the LLM without delimiters, allowing an attacker to craft malicious file contents that inject prompt instructions into the LLM context. Wrap each matched file's content with clear provenance markers (e.g., `[FILE: path/to/file]\n{content}\n[END FILE]`) in the tool's response before returning to the client. These markers create a clear boundary between file data and LLM instructions, preventing injected content from being interpreted as system prompts. Test by creating files with prompt injection payloads in a searchable location and verify the markers prevent the LLM from executing the injected commands.
SearchFiles tool returns matching file contents from arbitrary filesystem locations verbatim to the LLM without provenance delimiters, enabling indirect prompt injection via crafted file contents.
Evidence
| 1 | #!/usr/bin/env node |
| 2 | import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 3 | import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; |
| 4 | import { RootsListChangedNotificationSchema, } from "@modelcontextprotocol/sdk/types.js"; |
| 5 | import fs from "fs/promises"; |
| 6 | import { createReadStream } from "fs"; |
| 7 | import path from "path"; |
| 8 | import { z } from "zod"; |
| 9 | import { minimatch } from "minimatch"; |
| 10 | import { normalizePath, expandHome } from './path-utils.js'; |
| 11 | import { getValidRoo |
RemediationAI
The SearchFiles tool returns matching file contents verbatim to the LLM without delimiters, allowing an attacker to craft malicious file contents that inject prompt instructions into the LLM context. Wrap each matched file's content with clear provenance markers (e.g., `[FILE: path/to/file]\n{content}\n[END FILE]`) in the tool's response before returning to the client. These markers create a clear boundary between file data and LLM instructions, preventing injected content from being interpreted as system prompts. Test by creating files with prompt injection payloads in a searchable location and verify the markers prevent the LLM from executing the injected commands.
Package declares an install-time hook (npm postinstall/preinstall/prepare, setup.py cmdclass override, custom setuptools install class, or non-default pyproject build-backend). Anyone installing this package runs the hook. Confirm the hook is necessary and review its contents; prefer shipping a plain library without install-time execution.
Evidence
| 20 | ], |
| 21 | "scripts": { |
| 22 | "build": "tsc && shx chmod +x dist/*.js", |
| 23 | "prepare": "npm run build", |
| 24 | "watch": "tsc --watch", |
| 25 | "test": "vitest run --coverage" |
| 26 | }, |
RemediationAI
The package.json declares a 'prepare' script that runs `npm run build` automatically during installation, executing arbitrary code on every developer's machine without explicit consent. Remove the 'prepare' hook from the scripts section or move the build step to a separate optional script (e.g., 'build-dist') that developers must invoke manually. This ensures that installing the package does not execute code, reducing supply-chain attack surface and giving developers control over when compilation occurs. Verify the fix by running `npm install` in a clean environment and confirming that TypeScript compilation does not occur automatically.
MCP manifest declares tools but no authentication field is present (none of: auth, authorization, bearer, oauth, mtls, apiKey, api_key, basic, token, authToken). Absence is a weak signal β confirm whether the server relies on network-layer or host-level auth, or declare the real mechanism explicitly so reviewers can audit it.
Evidence
| 1 | # Filesystem MCP Server |
| 2 | |
| 3 | Node.js server implementing Model Context Protocol (MCP) for filesystem operations. |
| 4 | |
| 5 | ## Features |
| 6 | |
| 7 | - Read/write files |
| 8 | - Create/list/delete directories |
| 9 | - Move files/directories |
| 10 | - Search files |
| 11 | - Get file metadata |
| 12 | - Dynamic directory access control via [Roots](https://modelcontextprotocol.io/docs/learn/client-concepts#roots) |
| 13 | |
| 14 | ## Directory Access Control |
| 15 | |
| 16 | The server uses a flexible directory access control system. Directories can be specified via command-line arguments or dyn |
RemediationAI
The MCP manifest does not declare any authentication or authorization mechanism, making it unclear whether the server enforces access controls or relies on network-layer security. Add an explicit 'auth' or 'authorization' field to the server configuration (in package.json, README, or MCP manifest) documenting the actual security modelβe.g., 'auth: "host-level"' if relying on OS permissions, or 'auth: "none"' if the server is intentionally unauthenticated. This transparency allows reviewers and users to understand the security posture and make informed decisions about deployment. Verify the fix by reviewing the manifest with a security team member to confirm the declared auth mechanism matches the actual implementation.
secure-filesystem-server