Tracked packageView full profile for Gearboy →

MCPSafe.io

Security pre-install checks for MCP servers.

Mostly safe — a couple of notes worth reading.

Compare to another server

github · GearboyHEAD

Item: Gearboy
Rating: 4
Author: MCPSafe

Scanned 5/3/2026, 7:19:27 PM·Cached result·Fast Scan·45 rules·How we decide ↗

AIVSS Score

3.2/ 10

Low

Severity Breakdown

critical

high

medium

low

MCP Server Information

PackageGearboy

VersionHEAD

SourceGITHUB

LicenseGPL-3.0

Publisherdrhelius

Package age13y 9m

Stars1.1K

Downloads/wk—

Dependencies0

Homepagehttps://x.com/drhelius

Repositoryhttps://github.com/drhelius/Gearboy

Findings

25 of 25 findings

medium (25)

25 findings

medium (25)

AIVSS 3.2CVSS 4.4

Dockerfile never sets a non-root `USER` directive, so the CMD runs as root by default. Any RCE or library-level vulnerability exploited inside this container gets full privileges (MCP Top-10 R3). Add `USER <non-root>` before CMD / ENTRYPOINT in the final stage — e.g. `USER 1000`, `USER nobody`, or `USER nonroot` on distroless.

Evidence

FROM ubuntu:24.04

ENV LANG="C.UTF-8"

# Install basic build tools
RUN apt-get update \
    && apt-get upgrade -y \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y \
        ca-certificates \
        curl \
        git \
        jq \
        vim \
        make \
        cmake \
        unzip \
        zip \
        xxd \
        build-essential \
        gdb \
        clang \
        lldb \
        libx11-dev \
        libxext-dev \
        libxrandr-dev \
        libxcursor-dev \
     

Remediation

Create and switch to a non-root user before the CMD / ENTRYPOINT: RUN adduser --system --uid 1000 app USER 1000 Or reuse the base image's shipped non-root account (e.g. `USER nobody`, `USER nonroot` on distroless). Multi-stage builds only need the USER directive in the final stage.

1	FROM ubuntu:24.04
2
3	ENV LANG="C.UTF-8"
4
5	# Install basic build tools
6	RUN apt-get update \
7	&& apt-get upgrade -y \
8	&& DEBIAN_FRONTEND=noninteractive apt-get install -y \
9	ca-certificates \
10	curl \
11	git \
12	jq \
13	vim \
14	make \
15	cmake \
16	unzip \
17	zip \
18	xxd \
19	build-essential \
20	gdb \
21	clang \
22	lldb \
23	libx11-dev \
24	libxext-dev \
25	libxrandr-dev \
26	libxcursor-dev \
27

72	working-directory: platforms/linux
73
74	- name: Perform CodeQL Analysis
75	uses: github/codeql-action/analyze@v4
76	with:
77	category: "/language:${{matrix.language}}"

260	packages: write
261	steps:
262	- name: Checkout
263	uses: actions/checkout@v6
264	with:
265	fetch-depth: 0
266	- name: Get build number

22	contents: read
23	steps:
24	- name: Checkout
25	uses: actions/checkout@v6
26
27	- name: Get release version
28	run: \|

392	run: \|
393	mkdir -p release
394	- name: Download artifacts
395	uses: actions/download-artifact@v8
396	with:
397	pattern: ${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-*
398	path: release

61	echo "BUILD_NUMBER=$(git describe --abbrev=7 --dirty --always --tags)" >> $GITHUB_ENV
62
63	- name: Initialize CodeQL
64	uses: github/codeql-action/init@v4
65	with:
66	languages: ${{ matrix.language }}
67	build-mode: ${{ matrix.build-mode }}

369	fi
370	zip -r ../${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-mcpb-${PLATFORM_NAME}-${{ matrix.variant.arch }}.mcpb *
371	- name: Archive MCPB
372	uses: actions/upload-artifact@v7
373	with:
374	name: ${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-mcpb-${{ matrix.variant.platform == 'darwin' && 'macos' \|\| matrix.variant.platform == 'win32' && 'windows' \|\| matrix.variant.platform }}-${{ matrix.variant.arch }}
375	path: ${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-mcpb-${{ matrix.v

70	cp platforms/linux/${{ env.NAME_LOWER }} artifact
71	cp -r platforms/shared/desktop/mcp/resources artifact/mcp/
72	- name: Archive binary
73	uses: actions/upload-artifact@v7
74	with:
75	name: ${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-desktop-${{ matrix.artifact_name }}
76	path: artifact/*

268	echo "BUILD_NUMBER=$(git describe --abbrev=7 --dirty --always --tags)" >> $GITHUB_ENV
269	- name: Run FreeBSD and gmake
270	id: test
271	uses: vmactions/freebsd-vm@v1
272	with:
273	usesh: true
274	prepare: pkg install -y git gmake pkgconf sdl3 lang/gcc

283	cp platforms/bsd/${{ env.NAME_LOWER }} artifact
284	cp -r platforms/shared/desktop/mcp/resources artifact/mcp/
285	- name: Archive binary
286	uses: actions/upload-artifact@v7
287	with:
288	name: ${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-desktop-bsd-x64
289	path: artifact/*

52	echo "Intel SHA256: $INTEL_SHA"
53
54	- name: Checkout Homebrew tap repository
55	uses: actions/checkout@v6
56	with:
57	repository: ${{ env.TAP_REPO }}
58	token: ${{ secrets.HOMEBREW_TAP_TOKEN }}

220	with:
221	fetch-depth: 0
222	- name: Setup msbuild
223	uses: microsoft/setup-msbuild@v3
224	- name: Download SDL3 development libraries
225	shell: bash
226	env:

201	ditto -c -k --keepParent "platforms/macos/${{ env.NAME_UPPER }}.app" "platforms/macos/${{ env.NAME_UPPER }}.app.zip"
202	mv platforms/macos/${{ env.NAME_UPPER }}.app.zip artifact/
203	- name: Archive binary
204	uses: actions/upload-artifact@v7
205	with:
206	name: ${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-desktop-macos-${{ matrix.architecture == 'arm' && 'arm64' \|\| 'intel' }}
207	path: artifact/*

305	- { platform: linux, arch: arm64, os: ubuntu-24.04-arm, artifact_name: ubuntu24.04-arm64 }
306	steps:
307	- name: Checkout
308	uses: actions/checkout@v6
309	with:
310	fetch-depth: 0
311	- name: Get build number

31	build-mode: manual
32	steps:
33	- name: Checkout
34	uses: actions/checkout@v6
35	with:
36	fetch-depth: 0

248	cp platforms/windows/release/${{ env.NAME_UPPER }}.exe artifact
249	cp -r platforms/shared/desktop/mcp/resources artifact/mcp/
250	- name: Archive binary
251	uses: actions/upload-artifact@v7
252	with:
253	name: ${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-desktop-windows-${{ matrix.architecture }}
254	path: artifact/*

312	run: \|
313	echo "BUILD_NUMBER=$(git describe --abbrev=7 --dirty --always --tags)" >> $GITHUB_ENV
314	- name: Download artifact
315	uses: actions/download-artifact@v8
316	with:
317	name: ${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-desktop-${{ matrix.variant.platform == 'darwin' && format('macos-{0}', matrix.variant.architecture == 'arm' && 'arm64' \|\| 'intel') \|\| matrix.variant.platform == 'linux' && matrix.variant.artifact_name \|\| format('windows-{0}', matrix.variant.architecture) }

382	contents: write
383	steps:
384	- name: Checkout
385	uses: actions/checkout@v6
386	with:
387	fetch-depth: 0
388	- name: Get build number

128	run: make
129	working-directory: platforms/libretro
130	- name: Archive binary
131	uses: actions/upload-artifact@v7
132	with:
133	name: ${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-libretro-linux-x64
134	path: platforms/libretro/${{ env.NAME_LOWER }}_libretro.so

19	id-token: write
20	steps:
21	- name: Checkout
22	uses: actions/checkout@v6
23	- name: Get release tag
24	id: release_info
25	run: \|

github · GearboyHEAD

medium (25)

medium (25)

LLM summary— Gearboy:HEAD

Signal scores

LLM judge panel

CVE check

Community trust

Scan details

MCP Server Information

Run this exact engine on your private repo — before users see it on /scan.

medium (25)

medium (25)

Severity breakdown