Use with caution. Address findings before production.
Scanned 5/3/2026, 6:34:45 PM·Cached result·Fast Scan·45 rules·How we decide ↗
AIVSS Score
Medium
Severity Breakdown
0
critical
5
high
83
medium
267
low
MCP Server Information
Findings
This package has a concerning security grade of C and a low safety score of 52/100, with 5 high-severity and 83 medium-severity issues—primarily around resource exhaustion, ANSI escape injection risks, and insecure deserialization. While no critical vulnerabilities were found, the volume of medium-severity findings (especially readiness gaps and server configuration flaws) suggests it may introduce unnecessary risk if installed without mitigation. Proceed only if you can address these issues or accept the potential exposure.
No known CVEs found for this package or its dependencies.
Scan Details
Want deeper analysis?
Fast scan found 25 findings using rule-based analysis. Upgrade for LLM consensus across 5 judges, AI-generated remediation, and cross-file taint analysis.
Building your own MCP server?
Same rules, same LLM judges, same grade. Private scans stay isolated to your account and never appear in the public registry. Required for code your team hasn’t shipped yet.
25 of 25 findings
25 findings
Unsafe deserialization primitive detected. pickle.load(s), yaml.load (without SafeLoader), marshal.load(s), and shelve.open execute arbitrary code when the input is attacker-controlled.
Evidence
| 989 | // PHP/Ruby/Python unserialize equivalents |
| 990 | { re: /\bunserialize\s*\(/g, type: 'unserialize() (insecure deserialization)', severity: SEVERITY.CRITICAL }, |
| 991 | { re: /\bpickle\.loads?\s*\(/g, type: 'Python pickle.load (insecure deserialization)', severity: SEVERITY.CRITICAL }, |
| 992 | { re: /\byaml\.(?:load|unsafe_load)\s*\(/g, type: 'YAML unsafe load (code execution risk)', severity: SEVERITY.CRITICAL }, |
| 993 | { re: /\bMarshal\.(?:load|restore)\s*\(/g, type: 'Ruby Marshal.load (insecure deserializat |
Remediation
Replace pickle with json/msgpack or a schema-validated format (protobuf, cap'n proto). Use yaml.safe_load instead of yaml.load. Never deserialize data from an untrusted source with these APIs.
TLS certificate verification is disabled on an outbound HTTP client. Any MITM in the network path can intercept and modify requests / responses — credentials, tokens, and tool output flow over a channel with no integrity guarantee. Python requests / httpx: drop `verify=False`. If the peer is using a private CA, set `verify="/path/to/ca-bundle.pem"` or configure the system trust store. Node TS axios / fetch: drop `rejectUnauthorized: false` from the agent / `httpsAgent` options. Same private-CA
Evidence
| 7466 | } |
| 7467 | |
| 7468 | if (smtpPort === 465) { |
| 7469 | socket = tls.connect({ host: smtpHost, port: smtpPort, rejectUnauthorized: false }, () => {}); |
| 7470 | } else { |
| 7471 | socket = net.createConnection({ host: smtpHost, port: smtpPort }); |
| 7472 | } |
Remediation
Drop the verify-disable flag. If the peer presents a private CA: - Python: pass `verify="/path/to/ca.pem"` or trust the system store - Node: `new https.Agent({ ca: fs.readFileSync("ca.pem") })` - Go: load the CA via `x509.NewCertPool().AppendCertsFromPEM(...)` and set `tls.Config.RootCAs` Self-signed certificates: import the cert into the OS trust chain rather than disabling verification per-call.
TLS certificate verification is disabled on an outbound HTTP client. Any MITM in the network path can intercept and modify requests / responses — credentials, tokens, and tool output flow over a channel with no integrity guarantee. Python requests / httpx: drop `verify=False`. If the peer is using a private CA, set `verify="/path/to/ca-bundle.pem"` or configure the system trust store. Node TS axios / fetch: drop `rejectUnauthorized: false` from the agent / `httpsAgent` options. Same private-CA
Evidence
| 1420 | case 'starttls': |
| 1421 | if (code === 220) { |
| 1422 | const tlsSocket = tls.connect( |
| 1423 | { socket, host: smtpHost, rejectUnauthorized: false }, |
| 1424 | () => { |
| 1425 | upgraded = true; |
| 1426 | socket = tlsSocket; |
Remediation
Drop the verify-disable flag. If the peer presents a private CA: - Python: pass `verify="/path/to/ca.pem"` or trust the system store - Node: `new https.Agent({ ca: fs.readFileSync("ca.pem") })` - Go: load the CA via `x509.NewCertPool().AppendCertsFromPEM(...)` and set `tls.Config.RootCAs` Self-signed certificates: import the cert into the OS trust chain rather than disabling verification per-call.
TLS certificate verification is disabled on an outbound HTTP client. Any MITM in the network path can intercept and modify requests / responses — credentials, tokens, and tool output flow over a channel with no integrity guarantee. Python requests / httpx: drop `verify=False`. If the peer is using a private CA, set `verify="/path/to/ca-bundle.pem"` or configure the system trust store. Node TS axios / fetch: drop `rejectUnauthorized: false` from the agent / `httpsAgent` options. Same private-CA
Evidence
| 1420 | case 'starttls': |
| 1421 | if (code === 220) { |
| 1422 | const tlsSocket = tls.connect( |
| 1423 | { socket, host: smtpHost, rejectUnauthorized: false }, |
| 1424 | () => { |
| 1425 | upgraded = true; |
| 1426 | socket = tlsSocket; |
Remediation
Drop the verify-disable flag. If the peer presents a private CA: - Python: pass `verify="/path/to/ca.pem"` or trust the system store - Node: `new https.Agent({ ca: fs.readFileSync("ca.pem") })` - Go: load the CA via `x509.NewCertPool().AppendCertsFromPEM(...)` and set `tls.Config.RootCAs` Self-signed certificates: import the cert into the OS trust chain rather than disabling verification per-call.
TLS certificate verification is disabled on an outbound HTTP client. Any MITM in the network path can intercept and modify requests / responses — credentials, tokens, and tool output flow over a channel with no integrity guarantee. Python requests / httpx: drop `verify=False`. If the peer is using a private CA, set `verify="/path/to/ca-bundle.pem"` or configure the system trust store. Node TS axios / fetch: drop `rejectUnauthorized: false` from the agent / `httpsAgent` options. Same private-CA
Evidence
| 7649 | } |
| 7650 | |
| 7651 | if (smtpPort === 465) { |
| 7652 | socket = tls.connect({ host: smtpHost, port: smtpPort, rejectUnauthorized: false }, () => {}); |
| 7653 | } else { |
| 7654 | socket = net.createConnection({ host: smtpHost, port: smtpPort }); |
| 7655 | } |
Remediation
Drop the verify-disable flag. If the peer presents a private CA: - Python: pass `verify="/path/to/ca.pem"` or trust the system store - Node: `new https.Agent({ ca: fs.readFileSync("ca.pem") })` - Go: load the CA via `x509.NewCertPool().AppendCertsFromPEM(...)` and set `tls.Config.RootCAs` Self-signed certificates: import the cert into the OS trust chain rather than disabling verification per-call.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 5297 | handler: async (args) => { |
| 5298 | const client = await getAuthedClient(); |
| 5299 | const id = args['--id'] || args._[0]; |
| 5300 | if (!id) { console.error('Usage: workflow:run --id <shard-id> [--input <file.json>]'); return; } |
| 5301 | let input = {}; |
| 5302 | if (args['--input']) { |
| 5303 | const fs = await import('fs'); |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 908 | if (command === 'optimize') { |
| 909 | if (!args.input) { |
| 910 | console.error('Error: --input is required (path to alerting rules YAML/JSON).'); |
| 911 | process.exit(1); |
| 912 | } |
| 913 | const rules = await fs.readFile(nodePath.resolve(args.input), 'utf-8'); |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 861 | const inputRaw = args.input || args._?.[1] || ''; |
| 862 | |
| 863 | if (!inputRaw || (typeof inputRaw === 'string' && inputRaw.trim().length === 0)) { |
| 864 | console.error('Error: --input is required. Provide raw text or a file path.'); |
| 865 | process.exit(1); |
| 866 | } |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 1362 | : parseJSON(desiredContent).data; |
| 1363 | const desiredData = Array.isArray(desiredParsed) ? desiredParsed : [desiredParsed]; |
| 1364 | |
| 1365 | console.log(`\nSuggesting pipeline via FLUX (${data.length} input rows -> ${desiredData.length} output rows)...\n`); |
| 1366 | const result = await suggestPipeline(data, desiredData); |
| 1367 | if (!result.ok) { |
| 1368 | console.error(`Error: ${result.error}`); |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 885 | if (command === 'incident') { |
| 886 | if (!args.input) { |
| 887 | console.error('Error: --input is required (path to log file).'); |
| 888 | process.exit(1); |
| 889 | } |
| 890 | const logs = await fs.readFile(nodePath.resolve(args.input), 'utf-8'); |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 1278 | try { |
| 1279 | inputContent = await fs.readFile(inputPath, 'utf-8'); |
| 1280 | } catch (err) { |
| 1281 | console.error(`Error: Could not read input file: ${err.message}`); |
| 1282 | process.exit(1); |
| 1283 | } |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 4905 | if (!filePath) { |
| 4906 | console.log('Usage: pif file:write --path <file> --content "content"'); |
| 4907 | console.log(' pif file:write --path <file> --stdin < input.txt'); |
| 4908 | return; |
| 4909 | } |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 5624 | handler: async (args) => { |
| 5625 | const client = await getAuthedClient(); |
| 5626 | const idsArg = args['--ids'] || args._[0]; |
| 5627 | if (!idsArg) { console.error('Usage: skill:chain --ids <id1,id2,...> [--input <file.json>]'); return; } |
| 5628 | const skillIds = idsArg.split(',').map(s => s.trim()); |
| 5629 | let initialInput = {}; |
| 5630 | if (args['--input']) { |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 1132 | if (format === 'github-json') { |
| 1133 | // Output exact GitHub Pull Request Review API format |
| 1134 | console.log(JSON.stringify({ |
| 1135 | body: result.body ?? result.summary ?? '', |
| 1136 | event: result.event ?? 'COMMENT', |
| 1137 | comments: result.comments ?? [], |
| 1138 | }, null, 2)); |
| 1139 | } else { |
| 1140 | console.log(`Summary: ${result.summary ?? result.body ?? ''}\n`); |
| 1141 | const displayComments = result.comments ?? []; |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 8199 | var s = result.data || result; |
| 8200 | console.log('\n \x1b[36m[ MESH CAPABILITIES: ' + query + ' ]\x1b[0m\n'); |
| 8201 | console.log(' Network has ' + s.network.uniqueReceivers + ' active receivers'); |
| 8202 | console.log(' Use mesh:delegate --task "..." --capability "' + query + '" to find matches'); |
| 8203 | console.log(''); |
| 8204 | } catch (error) { |
| 8205 | console.error('Error: ' + error.message); |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 718 | if (command === 'analyze') { |
| 719 | if (!args.input || (typeof args.input === 'string' && args.input.trim().length === 0)) { |
| 720 | console.error('Error: --input is required for analysis (path to test results JSON).'); |
| 721 | process.exit(1); |
| 722 | } |
| 723 | const content = await fs.readFile(path.resolve(args.input), 'utf-8'); |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 8189 | handler: async (args) => { |
| 8190 | var query = args['--query'] || args._?.[0]; |
| 8191 | if (!query) { |
| 8192 | console.log('Usage: pif mesh:capabilities --query "security"'); |
| 8193 | return; |
| 8194 | } |
| 8195 | var client = new NHAClient(); |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 5088 | if (!filePath) { |
| 5089 | console.log('Usage: pif file:write --path <file> --content "content"'); |
| 5090 | console.log(' pif file:write --path <file> --stdin < input.txt'); |
| 5091 | return; |
| 5092 | } |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 7628 | fs.writeFileSync(notifyConfigPath, JSON.stringify(notifyConfig, null, 2)); |
| 7629 | |
| 7630 | const status = val ? '\x1b[32menabled\x1b[0m' : '\x1b[31mdisabled\x1b[0m'; |
| 7631 | console.log(`Notification "${event}" is now ${status}.`); |
| 7632 | console.log(`Saved to ${notifyConfigPath}`); |
| 7633 | }, |
| 7634 | }, |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 7797 | } |
| 7798 | |
| 7799 | console.log(''); |
| 7800 | console.log('Toggle: pif telegram:notify --event feed:hot --enabled false'); |
| 7801 | return; |
| 7802 | } |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 1524 | apiPost('/api/config',{key:configKey,value:''}).then(function(){ |
| 1525 | var el=document.getElementById('content'); |
| 1526 | if(el&&renderFn)renderFn(el); |
| 1527 | }).catch(function(){}); |
| 1528 | } |
| 1529 | function setupBanner(service,cmd){return '<div style="display:flex;align-items:center;gap:12px;padding:12px 16px;background:var(--bg2);border:1px solid var(--border);border-left:3px solid var(--amber);border-radius:var(--r);margin-bottom:14px;font-size:12px"><span style="font-size:20px">🔒</span><div><div style="color |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 6306 | // Track download (fire-and-forget, auth may not be available) |
| 6307 | try { |
| 6308 | if (client.isAuthenticated) { |
| 6309 | client.trackExtensionDownload(id).catch(function() {}); |
| 6310 | } |
| 6311 | } catch (_e) { /* ignore */ } |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 470 | try { |
| 471 | const json = JSON.parse(keysMatch[1]); |
| 472 | return String(Object.keys(json).length); |
| 473 | } catch {} |
| 474 | } |
| 475 | } |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 222 | process.stdout.write(chunk); |
| 223 | fullText += chunk; |
| 224 | } |
| 225 | } catch {} |
| 226 | } |
| 227 | } |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 3734 | } catch {} |
| 3735 | |
| 3736 | browserWs.on('close', () => { wsClients.delete(browserWs); if (daemonWs) try { daemonWs.close(); } catch {} }); |
| 3737 | browserWs.on('error', () => { wsClients.delete(browserWs); if (daemonWs) try { daemonWs.close(); } catch {} }); |
| 3738 | }); |
| 3739 | |
| 3740 | // ── Alexandria real-time — connect to server WS for each channel ────── |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.