Tracked packageView full profile for kite-mcp-server

MCPSafe.io

Security pre-install checks for MCP servers.

Mostly safe — a couple of notes worth reading.

Compare to another server

github · kite-mcp-serverHEAD

Item: kite-mcp-server
Rating: 4
Author: MCPSafe

Scanned 5/3/2026, 6:29:55 PM·Cached result·Fast Scan·45 rules·How we decide ↗

AIVSS Score

2.3/ 10

Low

Severity Breakdown

critical

high

medium

low

MCP Server Information

Packagekite-mcp-server

VersionHEAD

SourceGITHUB

LicenseMIT

Publisherzerodha

Package age1y 2m

Stars255

Downloads/wk—

Dependencies0

Homepagehttps://mcp.kite.trade

Repositoryhttps://github.com/zerodha/kite-mcp-server

Findings

5 of 5 findings

medium (5)

5 findings

medium (5)

AIVSS 2.3CVSS 3.5

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

Evidence

- uses: actions/checkout@v4
    
    - name: Install Nix
      uses: cachix/install-nix-action@v27
      with:
        nix_path: nixpkgs=channel:nixos-unstable

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Report false positive

AIVSS 2.3CVSS 3.5

Evidence

permissions:
      contents: write
    steps:
    - uses: actions/checkout@v4
    
    - name: Install Nix
      uses: cachix/install-nix-action@v27

Remediation

Report false positive

AIVSS 2.3CVSS 3.5

Evidence

chmod +x kite-mcp-server-windows-amd64.exe
    
    - name: Create GitHub Release
      uses: softprops/action-gh-release@v2
      with:
        files: |
          kite-mcp-server-linux-amd64

Remediation

Report false positive

AIVSS 2.3CVSS 3.5

Evidence

- uses: actions/checkout@v4
    
    - name: Install Nix
      uses: cachix/install-nix-action@v27
      with:
        nix_path: nixpkgs=channel:nixos-unstable

Remediation

Report false positive

AIVSS 2.3CVSS 3.5

Evidence

test:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    
    - name: Install Nix
      uses: cachix/install-nix-action@v27

Remediation

Report false positive

LLM summary— kite-mcp-server:HEAD

This package receives a B grade with a safety score of 90/100 but has a concerning AIVSS score of 2.2/10, indicating potential AI/LLM security weaknesses. Five medium-severity findings related to server configuration were identified, suggesting the MCP server may have insecure default settings or exposed endpoints that could be exploited. You should review the specific server configuration issues before deployment, particularly if this will handle sensitive data or run in a shared environment.

Signal scores

Static100

CVE check100

Publisher identity50

Permissions100

Supply chain60

Typosquat100

Package health85

Community82

Secrets & exfil100

Injection risks100

Destructive ops100

LLM judge panel

CVE check

No known CVEs found for this package or its dependencies.

Community trust

No community reports

Security policy: Not found
Advisories: 0

Scan details

Total findings: 5
Affected tools: 0 / 1
Scan type: Fast Scan
Rules run: 45
LLM consensus score: N/A
Scanned: 56d ago
Source: GITHUB

MCP Server Information

Source: GITHUB
Package: kite-mcp-server
Version: HEAD
License: MIT
Publisher: zerodha
Verified: No
Account age: 8y 4m
Added: 1y 2m ago
Versions: 255
Homepage: https://mcp.kite.trade
Repository: https://github.com/zerodha/kite-mcp-server
Ecosystem: GitHub
Stars: 255
Forks: 101
Open issues: 44
Dependencies: 0

AIVSS Score

2.3/ 10Low

Internal score: 90/100

Severity breakdown

Scan Details

Total findings5

Affected tools0 / 1

Scanned56d ago

Scan modeFAST

SourceGITHUB

Scan IDpubfastdce3cff9ba4d9017acc4

Want deeper analysis?

Fast scan found 5 findings using rule-based analysis. Upgrade for LLM consensus across 5 judges, AI-generated remediation, and cross-file taint analysis.

View plans Scan another package

Building your own MCP server?

Run this exact engine on your private repo — before users see it on /scan.

Same rules, same LLM judges, same grade. Private scans stay isolated to your account and never appear in the public registry. Required for code your team hasn’t shipped yet.

See plans with Private scans How private scans stay private

5 of 5 findings

medium (5)

5 findings

medium (5)

AIVSS 2.3CVSS 3.5

Evidence

- uses: actions/checkout@v4
    
    - name: Install Nix
      uses: cachix/install-nix-action@v27
      with:
        nix_path: nixpkgs=channel:nixos-unstable

Remediation

Report false positive

AIVSS 2.3CVSS 3.5

Evidence

permissions:
      contents: write
    steps:
    - uses: actions/checkout@v4
    
    - name: Install Nix
      uses: cachix/install-nix-action@v27

Remediation

Report false positive

AIVSS 2.3CVSS 3.5

Evidence

chmod +x kite-mcp-server-windows-amd64.exe
    
    - name: Create GitHub Release
      uses: softprops/action-gh-release@v2
      with:
        files: |
          kite-mcp-server-linux-amd64

Remediation

Report false positive

AIVSS 2.3CVSS 3.5

Evidence

- uses: actions/checkout@v4
    
    - name: Install Nix
      uses: cachix/install-nix-action@v27
      with:
        nix_path: nixpkgs=channel:nixos-unstable

Remediation

Report false positive

AIVSS 2.3CVSS 3.5

Evidence

test:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    
    - name: Install Nix
      uses: cachix/install-nix-action@v27

Remediation

Report false positive

15	- uses: actions/checkout@v4
16
17	- name: Install Nix
18	uses: cachix/install-nix-action@v27
19	with:
20	nix_path: nixpkgs=channel:nixos-unstable

12	permissions:
13	contents: write
14	steps:
15	- uses: actions/checkout@v4
16
17	- name: Install Nix
18	uses: cachix/install-nix-action@v27

49	chmod +x kite-mcp-server-windows-amd64.exe
50
51	- name: Create GitHub Release
52	uses: softprops/action-gh-release@v2
53	with:
54	files: \|
55	kite-mcp-server-linux-amd64

10	test:
11	runs-on: ubuntu-latest
12	steps:
13	- uses: actions/checkout@v4
14
15	- name: Install Nix
16	uses: cachix/install-nix-action@v27