Tracked packageView full profile for fli →

MCPSafe.io

Security pre-install checks for MCP servers.

Mostly safe — a couple of notes worth reading.

Compare to another server

github · fliHEAD

Item: fli
Rating: 4
Author: MCPSafe

Scanned 5/3/2026, 7:12:30 PM·Cached result·Fast Scan·45 rules·How we decide ↗

AIVSS Score

3.4/ 10

Low

Severity Breakdown

critical

high

medium

low

MCP Server Information

Packagefli

VersionHEAD

SourceGITHUB

LicenseMIT

Publisherpunitarani

Package age1y 3m

Stars2.2K

Downloads/wk—

Dependencies0

Homepagehttps://deepwiki.com/punitarani/fli

Repositoryhttps://github.com/punitarani/fli

Findings

Showing 1–30 of 41 findings

high (1)

medium (22)

low (7)

«‹

41 findings

high (1)

AIVSS 3.4CVSS 5.8

Install-time script pipes a remote download directly into a shell. Any `npm install` or `docker build` on this package will execute attacker-controlled code without review. Fetch a pinned artifact, verify a checksum, and invoke it explicitly — or drop the hook entirely.

Evidence

&& rm -rf /var/lib/apt/lists/*

# Install act (for running GitHub Actions locally)
RUN curl -sSL https://raw.githubusercontent.com/nektos/act/master/install.sh | bash -s -- -b /usr/local/bin

# Install uv
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

Remediation

Prefer libraries that do not require install-time code execution: - Drop `postinstall`/`preinstall`/`prepare` scripts if the work can happen at runtime or build-time instead. - Ship pre-built native binaries rather than compiling via a custom `cmdclass` or `build_ext` override. - For Dockerfiles: replace `RUN curl … | sh` with a pinned download + checksum verification + explicit `RUN` of a named script. - If the hook is unavoidable, document exactly what it does so downstream reviewers

8	&& rm -rf /var/lib/apt/lists/*
9
10	# Install act (for running GitHub Actions locally)
11	RUN curl -sSL https://raw.githubusercontent.com/nektos/act/master/install.sh \| bash -s -- -b /usr/local/bin
12
13	# Install uv
14	COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

35	```python
36	from fli.mcp import run_http
37
38	run_http(host="0.0.0.0", port=8000)
39	```
40
41	Once running, the MCP endpoint is served at `/mcp/`, for example: `http://127.0.0.1:8000/mcp/`.

293	}
294
295	except ParseError as e:
296	return {"success": False, "error": str(e), "flights": []}
297	except Exception as e:
298	error_msg = str(e)
299	if "validation error" in error_msg.lower():

8	PORT: "8000"
9	restart: unless-stopped
10	healthcheck:
11	test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"]
12	interval: 30s
13	timeout: 10s
14	retries: 3

66	Args:
67	url: Target URL for the request
68	**kwargs: Additional arguments passed to requests.post()
69
70	Returns:
71	Response object from the server

1	FROM python:3.10-slim
2
3	# Install system dependencies
4	RUN apt-get update && apt-get install -y --no-install-recommends \
5	git \
6	curl \
7	make \
8	&& rm -rf /var/lib/apt/lists/*
9
10	# Install act (for running GitHub Actions locally)
11	RUN curl -sSL https://raw.githubusercontent.com/nektos/act/master/install.sh \| bash -s -- -b /usr/local/bin
12
13	# Install uv
14	COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
15
16	# Set up workspace
17	WORKDIR /workspace
18
19	# Copy dependency files first for better lay

15	- uses: actions/checkout@v6
16
17	- name: Install uv
18	uses: astral-sh/setup-uv@v7
19	with:
20	version: "latest"

62	steps:
63	- name: Deploy to GitHub Pages
64	id: deployment
65	uses: actions/deploy-pages@v5

56	run: uv run twine check dist/*
57
58	- name: Upload distributions
59	uses: actions/upload-artifact@v7
60	with:
61	name: release-dists
62	path: dist/

113	- name: Upload Test Results
114	if: always() && !env.ACT
115	uses: actions/upload-artifact@v7
116	with:
117	name: Test Results (Python ${{ matrix.python-version }})
118	path: junit.xml

42	type=semver,pattern={{version}}
43	type=semver,pattern={{major}}.{{minor}}
44	- name: Build and push Docker image
45	uses: docker/build-push-action@v5
46	with:
47	context: .
48	push: true

25	uses: docker/setup-buildx-action@v3
26
27	- name: Log in to the Container registry
28	uses: docker/login-action@v3
29	with:
30	registry: ${{ env.REGISTRY }}
31	username: ${{ github.actor }}

129	steps:
130	- name: Download Artifacts
131	uses: actions/download-artifact@v8
132	with:
133	path: artifacts

35	- run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
36
37	- uses: actions/cache@v5
38	with:
39	key: mkdocs-material-${{ env.cache_id }}
40	path: .cache

89	fail-fast: false
90
91	steps:
92	- uses: actions/checkout@v6
93
94	- name: Install uv
95	uses: astral-sh/setup-uv@v7

25	python-version: "3.12"
26
27	- name: Install uv
28	uses: astral-sh/setup-uv@v7
29	with:
30	version: "latest"

75	steps:
76	- name: Retrieve release distributions
77	uses: actions/download-artifact@v8
78	with:
79	name: release-dists
80	path: dist/

81	path: dist/
82
83	- name: Publish release distributions to PyPI
84	uses: pypa/gh-action-pypi-publish@release/v1
85	with:
86	packages-dir: dist/

33	- name: Extract metadata (tags, labels) for Docker
34	id: meta
35	uses: docker/metadata-action@v5
36	with:
37	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
38	tags: \|

20	- uses: actions/checkout@v6
21
22	- name: Set up Python
23	uses: actions/setup-python@v6
24	with:
25	python-version: "3.12"

12	lint:
13	runs-on: ubuntu-latest
14	steps:
15	- uses: actions/checkout@v6
16
17	- name: Install uv
18	uses: astral-sh/setup-uv@v7

26	git config user.email 41898282+github-actions[bot]@users.noreply.github.com
27
28	- name: Install uv
29	uses: astral-sh/setup-uv@v7
30	with:
31	version: "latest"

49	run: uv run mkdocs build
50
51	- name: Upload artifact
52	uses: actions/upload-pages-artifact@v4
53	with:
54	path: site

19	build:
20	runs-on: ubuntu-latest
21	steps:
22	- uses: actions/checkout@v6
23	- name: Configure Git Credentials
24	run: \|
25	git config user.name github-actions[bot]

github · fliHEAD

high (1)

medium (22)

low (7)

high (1)

medium (33)

low (7)

LLM summary— fli:HEAD

Signal scores

LLM judge panel

CVE check

Community trust

Scan details

MCP Server Information

Run this exact engine on your private repo — before users see it on /scan.

high (1)

medium (22)

low (7)

high (1)

medium (33)

low (7)

Severity breakdown

19	steps:
20	- name: Checkout repository
21	uses: actions/checkout@v4
22
23	- name: Set up Docker Buildx
24	uses: docker/setup-buildx-action@v3

134	path: artifacts
135
136	- name: Publish Test Results
137	uses: EnricoMi/publish-unit-test-result-action@v2
138	with:
139	files: "artifacts/**/junit.xml"
140	check_name: "Test Results"

191	try:
192	if item and isinstance(item, list) and len(item) > 2:
193	if isinstance(item[2], list) and len(item[2]) > 1:
194	return extract_currency_from_price_token(item[2][1])
195	except (IndexError, TypeError, ValueError):
196	pass
197
198	return None

154	currency = None
155	try:
156	if price_block and price_block[0]:
157	price = float(price_block[0][-1])
158	except (IndexError, TypeError):
159	pass
160	try:
161	if price_block and len(price_block) > 1:
162	currency = extract_currency_from_price_token(price_block[1])

130	elif stops_int >= 2:
131	return MaxStops.TWO_OR_FEWER_STOPS
132	else:
133	return MaxStops.ANY
134	except ValueError:
135	pass
136
137	# Try as string name
138	upper_stops = stops.upper()

170	try:
171	price_block = SearchFlights._get_price_block(data)
172	if price_block and len(price_block) > 1:
173	return extract_currency_from_price_token(price_block[1])
174	except (IndexError, TypeError):
175	pass
176	return None
177
178	@staticmethod

180	"""Return the raw price block attached to a flight row."""
181	try:
182	if len(data) > 1 and isinstance(data[1], list):
183	return data[1]
184	except TypeError:
185	pass
186	return None
187
188	@staticmethod

179	if item and isinstance(item, list) and len(item) > 2:
180	if isinstance(item[2], list) and len(item[2]) > 0:
181	if isinstance(item[2][0], list) and len(item[2][0]) > 1:
182	return float(item[2][0][1])
183	except (IndexError, TypeError, ValueError):
184	pass
185
186	return None