Use with caution. Address findings before production.
Scanned 5/3/2026, 7:37:19 PM·Cached result·Fast Scan·88 rules·How we decide ↗
AIVSS Score
Medium
Severity Breakdown
0
critical
3
high
263
medium
0
low
MCP Server Information
Findings
This package has a security grade of C and a low safety score of 40/100, indicating significant vulnerabilities that could pose risks. With three high-severity issues and a total of 263 medium-severity findings, including a large number of vulnerable dependencies and resource exhaustion risks, it is advisable to proceed with caution before installation.
Dependencies
@hono/node-server (2)
hono (54)
@cloudflare/vite-plugin (1)
Scan Details
Want deeper analysis?
Fast scan found 18 findings using rule-based analysis. Upgrade for LLM consensus across 5 judges, AI-generated remediation, and cross-file taint analysis.
Building your own MCP server?
Same rules, same LLM judges, same grade. Private scans stay isolated to your account and never appear in the public registry. Required for code your team hasn’t shipped yet.
18 of 18 findings
18 findings
Tool 'list_logs' fetches untrusted log data from Cloudflare API and returns it verbatim as JSON without provenance markers, enabling indirect prompt injection via malicious log content.
Evidence
| 6 | import type { LogListParams } from 'cloudflare/resources/ai-gateway' |
| 7 | import type { AIGatewayMCP } from '../ai-gateway.app' |
| 8 | |
| 9 | export function registerAIGatewayTools(agent: AIGatewayMCP) { |
| 10 | agent.server.tool( |
| 11 | 'list_gateways', |
| 12 | 'List Gateways', |
Remediation
Wrap untrusted content with a clear delimiter naming the source, e.g. `<<<untrusted-content from example.com>>>` / `<<<end>>>`. Truncate to a known upper bound. Strip or neutralize model- directive markup (`<system>`, `[INST]`, role-turn markers) before returning. Optionally hash / quarantine large payloads and return only a summary plus a handle the agent can opt into.
LLM consensus
Tool 'get_log_details' fetches untrusted log details from Cloudflare API and returns them verbatim without provenance markers, enabling indirect prompt injection via malicious log content.
Evidence
| 53 | type: 'text', |
| 54 | text: `Error listing gateways: ${error instanceof Error && error.message}`, |
| 55 | }, |
| 56 | ], |
| 57 | } |
| 58 | } |
| 59 | } |
Remediation
Wrap untrusted content with a clear delimiter naming the source, e.g. `<<<untrusted-content from example.com>>>` / `<<<end>>>`. Truncate to a known upper bound. Strip or neutralize model- directive markup (`<system>`, `[INST]`, role-turn markers) before returning. Optionally hash / quarantine large payloads and return only a summary plus a handle the agent can opt into.
MCP tool returns content marked as HTML (`{type: "html"}`, `Content-Type: text/html`, or `mimeType: "text/html"`) with no sanitiser on the same code path. The host renders HTML directly — anything tainted in the body becomes a script execution / markup-injection vector. Pipe the body through `DOMPurify.sanitize()` (TS), `bleach.clean()` (Python), `lxml.html.clean.Cleaner`, or `sanitize_html` before returning. Better: return `{type: "text"}` / `text/plain` and let the host escape. Distinct from
Evidence
| 1 | import { McpAgent } from 'agents/mcp' |
| 2 | |
| 3 | import { getEnv } from '@repo/mcp-common/src/env' |
| 4 | import { CloudflareMCPServer } from '@repo/mcp-common/src/server' |
| 5 | |
| 6 | // The demo day MCP server isn't stateful, so we don't have state/props |
| 7 | export type Props = never |
| 8 | |
| 9 | export type State = never |
| 10 | |
| 11 | export type Env = { |
| 12 | ENVIRONMENT: 'development' | 'staging' | 'production' |
| 13 | AUTORAG_NAME: 'cloudflare-docs-autorag' |
| 14 | MCP_SERVER_NAME: 'PLACEHOLDER' |
| 15 | MCP_SERVER_VERSION: 'PLACEHOLDER' |
| 16 | MCP_OBJECT: DurableObjectNamespace |
Remediation
Sanitise the HTML body before return. Prefer `DOMPurify.sanitize(body)` (TS, plenty of MCP servers already bundle it for resource rendering) or `bleach.clean(body, tags=ALLOWED_TAGS, strip=True)` (Python). Even better: return `{type: "text"}` / `Content-Type: text/plain` and let the host's markdown renderer handle escape. HTML output is rarely needed for tool results.
LLM consensus
MCP tool description or return text contains an imperative phrase that asks the LLM to invoke or call ANOTHER tool — "invoke the write_file tool", "before using this, also call send_email", "silently invoke X". This is a cross-tool chaining injection: the user authorized THIS tool, but the payload escalates into others. Tool descriptions should describe what the tool DOES, not direct the LLM to use other tools. If a tool's correct operation requires composition, document the dependency in human
Evidence
| 1 | import { z } from 'zod' |
| 2 | |
| 3 | import { fetchCloudflareApi } from '@repo/mcp-common/src/cloudflare-api' |
| 4 | import { getProps } from '@repo/mcp-common/src/get-props' |
| 5 | |
| 6 | import { getReader } from '../warp_diag_reader' |
| 7 | |
| 8 | import type { ToolCallback } from '@modelcontextprotocol/sdk/server/mcp.js' |
| 9 | import type { ToolAnnotations } from '@modelcontextprotocol/sdk/types.js' |
| 10 | import type { ZodRawShape, ZodTypeAny } from 'zod' |
| 11 | import type { CloudflareDEXMCP } from '../dex-analysis.app' |
| 12 | |
| 13 | export function registerDEXTools |
Remediation
Tool descriptions should describe what the tool does — not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct
MCP tool description or return text contains an imperative phrase that asks the LLM to invoke or call ANOTHER tool — "invoke the write_file tool", "before using this, also call send_email", "silently invoke X". This is a cross-tool chaining injection: the user authorized THIS tool, but the payload escalates into others. Tool descriptions should describe what the tool DOES, not direct the LLM to use other tools. If a tool's correct operation requires composition, document the dependency in human
Evidence
| 1 | import { McpAgent } from 'agents/mcp' |
| 2 | |
| 3 | import { getProps } from '@repo/mcp-common/src/get-props' |
| 4 | import { CloudflareMCPServer } from '@repo/mcp-common/src/server' |
| 5 | |
| 6 | import { ExecParams, FilePathParam, FileWrite } from '../shared/schema' |
| 7 | import { BASE_INSTRUCTIONS } from './prompts' |
| 8 | import { stripProtocolFromFilePath } from './utils' |
| 9 | |
| 10 | import type { Props, UserContainer } from './sandbox.server.app' |
| 11 | import type { Env } from './sandbox.server.context' |
| 12 | |
| 13 | export class ContainerMcpAgent extends McpAgent |
Remediation
Tool descriptions should describe what the tool does — not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct
@modelcontextprotocol/sdk==1.20.2 has 3 known CVEs [HIGH]: GHSA-345p-7cg4-v4c7, GHSA-8r9q-7v3j-jr4g, GHSA-w48q-cv73-mx4w. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
@modelcontextprotocol/sdk==1.20.2 has 3 known CVEs [HIGH]: GHSA-345p-7cg4-v4c7, GHSA-8r9q-7v3j-jr4g, GHSA-w48q-cv73-mx4w. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
@modelcontextprotocol/sdk==1.20.2 has 3 known CVEs [HIGH]: GHSA-345p-7cg4-v4c7, GHSA-8r9q-7v3j-jr4g, GHSA-w48q-cv73-mx4w. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
wrangler==4.10.0 has 1 known CVE [HIGH]: GHSA-36p8-mvp6-cv38. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
wrangler==4.10.0 has 1 known CVE [HIGH]: GHSA-36p8-mvp6-cv38. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
wrangler==4.10.0 has 1 known CVE [HIGH]: GHSA-36p8-mvp6-cv38. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
hono==4.7.6 has 20 known CVEs [HIGH]: GHSA-26pp-8wgv-hjvm, GHSA-3vhc-576x-3qv4, GHSA-458j-xx4x-4375 (+17 more). Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
agents==0.2.19 has 3 known CVEs [MEDIUM]: GHSA-cvhv-6xm6-c3v4, GHSA-r7x9-8ph7-w8cg, GHSA-w5cr-2qhr-jqc5. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
agents==0.2.19 has 3 known CVEs [MEDIUM]: GHSA-cvhv-6xm6-c3v4, GHSA-r7x9-8ph7-w8cg, GHSA-w5cr-2qhr-jqc5. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
hono==4.7.6 has 20 known CVEs [HIGH]: GHSA-26pp-8wgv-hjvm, GHSA-3vhc-576x-3qv4, GHSA-458j-xx4x-4375 (+17 more). Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
agents==0.2.19 has 3 known CVEs [MEDIUM]: GHSA-cvhv-6xm6-c3v4, GHSA-r7x9-8ph7-w8cg, GHSA-w5cr-2qhr-jqc5. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
ai==4.3.10 has 1 known CVE [LOW]: GHSA-rwvc-j5jr-mgvh. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
wrangler==4.10.0 has 1 known CVE [HIGH]: GHSA-36p8-mvp6-cv38. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
list_gateways
mcp_demo_day_info
container_initialize