Tracked packageView full profile for mcp-server-asana

MCPSafe.io

Security pre-install checks for MCP servers.

Mostly safe — a couple of notes worth reading.

Compare to another server

github · mcp-server-asanac4508aac54e2

Item: mcp-server-asana
Rating: 4
Author: MCPSafe

Scanned 5/3/2026, 6:18:11 PM·Cached result·Fast Scan·45 rules·How we decide ↗

AIVSS Score

2.8/ 10

Low

Severity Breakdown

critical

high

medium

low

MCP Server Information

Packagemcp-server-asana

Versionc4508aac54e2

SourceGITHUB

LicenseMIT

Publisherroychri

Package age1y 4m

Stars138

Downloads/wk—

Dependencies0

Repositoryhttps://github.com/roychri/mcp-server-asana

Findings

21 of 21 findings

medium (21)

21 findings

medium (21)

AIVSS 2.8CVSS 3.5

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

Evidence

},

    getPrompt: async (request: GetPromptRequest): Promise<GetPromptResult> => {
      console.error("Received GetPromptRequest:", request);

      // Block non-read prompts in read-only mode
      if (isReadOnlyMode && !READ_ONLY_PROMPTS.includes(request.params.name)) {

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

89	},
90
91	getPrompt: async (request: GetPromptRequest): Promise<GetPromptResult> => {
92	console.error("Received GetPromptRequest:", request);
93
94	// Block non-read prompts in read-only mode
95	if (isReadOnlyMode && !READ_ONLY_PROMPTS.includes(request.params.name)) {

953	console.log(`Task 1 Notes: ${tasks[0].notes}`);
954	}
955	}, (error) => {
956	console.error(error.response.body);
957	});
958	```

995	let task = result.data;
996	console.log(task.name);
997	}, (error) => {
998	console.error(error.response.body);
999	});
1000	```

135	export function tool_handler(asanaClient: AsanaClientWrapper): (request: CallToolRequest) => Promise<CallToolResult> {
136	return async (request: CallToolRequest) => {
137	console.error("Received CallToolRequest:", request);
138	try {
139	if (!request.params.arguments) {
140	throw new Error("No arguments provided");

96	tasksApiInstance.createTask(body, opts).then((result) => {
97	console.log('API called successfully. Returned data: ' + JSON.stringify(result.data, null, 2));
98	}, (error) => {
99	console.error(error.response.body);
100	});
101	```

1061	let result = result.data;
1062	console.log(result);
1063	}, (error) => {
1064	console.error(error.response.body);
1065	});
1066	```

366	tasksApiInstance.getTasks(opts).then((result) => {
367	console.log(JSON.stringify(result.data, null, 2));
368	}, (error) => {
369	console.error(error.response.body);
370	});
371	```

121	tasksApiInstance.updateTask(body, task_gid, opts).then((result) => {
122	console.log('API called successfully. Returned data: ' + JSON.stringify(result.data, null, 2));
123	}, (error) => {
124	console.error(error.response.body);
125	});
126	```

140	tasksApiInstance.deleteTask(task_gid).then((result) => {
141	console.log('API called successfully. Returned data: ' + JSON.stringify(result.data, null, 2));
142	}, (error) => {
143	console.error(error.response.body);
144	});
145	```

827	console.log(`taskName: ${taskName}`);
828	console.log(`taskNotes: ${taskNotes}`);
829	}, (error) => {
830	console.error(error.response.body);
831	});
832	```

569	}
570	return result;
571	}, (error) => {
572	console.error(error.response.body);
573	});
574	// Do something with the tasks. EX: print out results
575	console.log('Tasks: ' + JSON.stringify(tasks, null, 2));

49	* Reads a resource (workspace details or project details)
50	*/
51	const readResource = async (request: ReadResourceRequest): Promise<ReadResourceResult> => {
52	console.error("Received ReadResourceRequest:", request);
53	try {
54	const { uri } = request.params;

685	}
686	}
687	}, (error) => {
688	console.error(error.response.body);
689	});
690
691	```

853	console.log(task);
854	console.log(headers);
855	}, (error) => {
856	console.error(error.response.body);
857	});
858	```

1031	let task = result.data;
1032	console.log(task.name);
1033	}, (error) => {
1034	console.error(error.response.body);
1035	});
1036	```

34	usersApiInstance.getUser(user_gid, opts).then((result) => {
35	console.log('API called successfully. Returned data: ' + JSON.stringify(result.data, null, 2));
36	}, (error) => {
37	console.error(error.response.body);
38	});
39	```

96	client.tasks
97	.findAll({ limit: 50, project: "1199684513975168" })
98	.then((collection) => {
99	collection.fetch(200).then((tasks) => {
100	console.log(tasks);
101	});
102	});

21	],
22	"scripts": {
23	"build": "node build.js",
24	"prepare": "npm run build",
25	"start": "node dist/index.js",
26	"dev": "NODE_ENV=development NODE_OPTIONS='--loader ts-node/esm' node --experimental-specifier-resolution=node src/index.ts",
27	"watch": "tsc -w",

github · mcp-server-asanac4508aac54e2

medium (21)

medium (21)

LLM summary— mcp-server-asana:c4508aac54e2

Signal scores

LLM judge panel

CVE check

Community trust

Scan details

MCP Server Information

Run this exact engine on your private repo — before users see it on /scan.

medium (21)

medium (21)

Severity breakdown