security
Security
Every MCP risk signal in one place — CVEs, tool safety, drift, naming, licenses. Heuristic: review signals, not verdicts.
45 CRITICAL
3664 HIGH
531 MEDIUM
1207 LOW
11 NONE
Static code-analysis findings — hidden prompt content in shipped skill files, committed secrets, dynamic-exec sinks, and suspicious call-home endpoints — across the analyzed catalogue. Heuristic, pure, no code executed; every row deep-links to its source. Click a kind to filter.
6275 analyzed
297 re-analysis due
1444 not analyzable
9267 not yet analyzed
711 source gone
Running analyzer v17. The scanner changelog explains what each version detects and when it changed.
- hidden prompt82
- committed secret188
- dynamic exec375
- suspicious endpoint175
- token-log85
- oauth-scope112
- skill-script60
- ide-extension2
- skill file11681
- HIGH dynamic exec@iola_adm/iola-clinew Function()
const value = await page.evaluate(new Function("return (" + params.script + ")")); - HIGH dynamic exectidewavenew Function()
var makeValidate = new Function("self", "RULES", "formats", "root", "refVal", "defaults", "customRules", "equal", "ucs2length", "ValidationError", sourceCode); - HIGH dynamic exec@vpxa/aikiteval()
- Avoid \`eval()\`, \`new Function()\`, and dynamic \`require()\` — security + performance issues - HIGH dynamic exec@vpxa/aikitnew Function()
- Avoid \`eval()\`, \`new Function()\`, and dynamic \`require()\` — security + performance issues - HIGH dynamic exec@vpxa/aikiteval()
- [ ] **eval/Function prevention**: No dynamic code execution from user input (\`eval()\`, \`new Function()\`, \`vm.runInNewContext()\`) - HIGH dynamic exec@vpxa/aikitvm exec
- [ ] **eval/Function prevention**: No dynamic code execution from user input (\`eval()\`, \`new Function()\`, \`vm.runInNewContext()\`) - HIGH dynamic exec@vpxa/aikitnew Function()
- [ ] **eval/Function prevention**: No dynamic code execution from user input (\`eval()\`, \`new Function()\`, \`vm.runInNewContext()\`) - HIGH dynamic exec@kubb/plugin-mcpnew Function()
new Function(`var ${name}`); - HIGH dynamic exec@kubb/plugin-mcpnew Function()
new Function(`var ${name}`); - HIGH dynamic execgm-codexeval()
const result = eval(`(${code})`); - HIGH dynamic exec@modelcontextprotocol/clientnew Function()
const validate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode)(this, this.scope.get()); - HIGH dynamic exec@neriros/ralphynew Function()
const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); - HIGH dynamic execxmcpnew Function()
const func = new Function( - HIGH dynamic execopenapi-mcp-generatoreval()
const zodSchema = eval(zodSchemaString); - HIGH dynamic execfigma-console-mcpeval()
codePromise = eval(wrappedCode);