github · anki-mcp-server-addonHEAD

Scanned 4/30/2026, 9:27:48 AM·Fast Scan·45 rules·How we decide ↗

AIVSS Score

2.3/ 10

Low

Severity Breakdown

critical

high

medium

low

MCP Server Information

Packageanki-mcp-server-addon

VersionHEAD

SourceGITHUB

Package age—

Stars—

Downloads/wk—

Findings

13 of 13 findings

medium (10)

low (3)

13 findings

medium (10)

AIVSS 2.3CVSS 3.5

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

Evidence

- name: Upload .ankiaddon artifact
        if: always()
        uses: actions/upload-artifact@v5
        with:
          name: anki_mcp_server.ankiaddon
          path: anki_mcp_server.ankiaddon

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

48	- name: Upload .ankiaddon artifact
49	if: always()
50	uses: actions/upload-artifact@v5
51	with:
52	name: anki_mcp_server.ankiaddon
53	path: anki_mcp_server.ankiaddon

64	- uses: actions/checkout@v5
65
66	- name: Setup Python
67	uses: actions/setup-python@v6
68	with:
69	python-version: '3.x'

15	uses: actions/checkout@v5
16
17	- name: Set up Python
18	uses: actions/setup-python@v6
19	with:
20	python-version: "3.11"

12	steps:
13	- name: Checkout code
14	uses: actions/checkout@v5
15
16	- name: Set up Python
17	uses: actions/setup-python@v6

61	contents: write
62
63	steps:
64	- uses: actions/checkout@v5
65
66	- name: Setup Python
67	uses: actions/setup-python@v6

26	python-version: "3.11"
27
28	- name: Set up Node.js
29	uses: actions/setup-node@v5
30	with:
31	node-version: "22"

72	run: ./package.sh
73
74	- name: Create Release
75	uses: softprops/action-gh-release@v2
76	with:
77	files: '*.ankiaddon'
78	generate_release_notes: true

144	except Exception as e:
145	logger.warning(f"Could not retrieve card {qc.card.id}: {e}")
146	try:
147	col.sched.bury_cards([qc.card.id], manual=True)
148	except Exception:
149	pass # if even burying fails, safety limit will catch us
150	continue
151
152	# If queued is None, we never successfully called get_queued_cards

21	from anki.buildinfo import version
22	parts = version.split(".")
23	if len(parts) >= 2:
24	return int(parts[0]) * 10000 + int(parts[1]) * 100
25	except Exception:
26	pass
27	return 0

104	# at its own import time and raises PydanticUserError on mismatch.
105	try:
106	import pydantic_core # noqa: F401
107	return True
108	except ImportError:
109	pass
110
111	try:
112	required_version = _get_required_pydantic_core_version()

github · anki-mcp-server-addonHEAD

medium (10)

low (3)

medium (10)

low (3)

Signal scores

LLM judge panel

CVE check

Community trust

Scan details

MCP Server Information

Run this exact engine on your private repo — before users see it on /scan.

medium (10)

low (3)

medium (10)

low (3)

Severity breakdown