Drift inferred · capture-to-capture
- HIGH code analysis flagged dynamic code execution in smithery-ai/cli
transport stdio · http counts 0 tools · 0 res
· 0 prompts
permission surface via code analysis
no tools enumerated yet for this server.
prompt-surface
shipped agent-instruction files + hidden-content / dangerous-code findings —
quoted from the analyzed source
analyzed commit 407ac3b · analyzer v18 · 9h ago
skills & prompt files 4
danger signals2
- dynamic code executionnew Function()smithery-ai-cli-407ac3b/src/utils/run/prepare-stdio-connection.ts:95
const stdioFn = new Function( - credential in logscredential in logsmithery-ai-cli-407ac3b/src/index.ts:485
console.log(`SMITHERY_API_KEY=${apiKey}`)
evidence-backed
findings quoted directly from the published source artifact — not inferred
filesystem 13
- fs smithery-ai-cli-407ac3b/build.mjs :1
import { existsSync, mkdirSync, readFileSync } from "node:fs" - fs smithery-ai-cli-407ac3b/src/commands/homepage.ts :9
} from "node:fs" - fs smithery-ai-cli-407ac3b/src/commands/mcp/deploy.ts :2
import { createReadStream, writeFileSync } from "node:fs" - fs smithery-ai-cli-407ac3b/src/commands/mcp/source.ts :1
import { readFile, realpath, stat } from "node:fs/promises" - fs smithery-ai-cli-407ac3b/src/index.ts :3
import { realpathSync } from "node:fs" - fs smithery-ai-cli-407ac3b/src/lib/client-config-io.ts :2
import fs from "node:fs" - fs smithery-ai-cli-407ac3b/src/lib/config-loader.ts :1
import { existsSync, readFileSync } from "node:fs" - fs smithery-ai-cli-407ac3b/src/lib/dev-server.ts :1
import { readFile } from "node:fs/promises" - fs smithery-ai-cli-407ac3b/src/lib/lazy-import.ts :2
import { existsSync } from "node:fs" - fs smithery-ai-cli-407ac3b/src/lib/mcpb.ts :1
import * as fs from "node:fs" - fs smithery-ai-cli-407ac3b/src/utils/cli-utils.ts :1
import { existsSync, readFileSync } from "node:fs" - fs smithery-ai-cli-407ac3b/src/utils/smithery-settings.ts :1
import { promises as fs } from "node:fs" - fs smithery-ai-cli-407ac3b/src/utils/tool-schema-cache.ts :1
import { promises as fs } from "node:fs"
shell / exec 10
- shell smithery-ai-cli-407ac3b/src/commands/homepage.ts :1
import { execSync, spawn } from "node:child_process" - shell smithery-ai-cli-407ac3b/src/commands/mcp/add-flow.ts :1
import { execFile } from "node:child_process" - shell smithery-ai-cli-407ac3b/src/commands/mcp/deploy.ts :1
import { spawn } from "node:child_process" - shell smithery-ai-cli-407ac3b/src/lib/cli-auth.ts :1
import { exec } from "node:child_process" - shell smithery-ai-cli-407ac3b/src/lib/client-config-io.ts :1
import { execFileSync } from "node:child_process" - shell smithery-ai-cli-407ac3b/src/lib/lazy-import.ts :1
import { execFile } from "node:child_process" - shell smithery-ai-cli-407ac3b/src/lib/skill-install.ts :85
const { execSync } = await import("node:child_process") - shell smithery-ai-cli-407ac3b/src/lib/uplink.ts :1
import { spawn } from "node:child_process" - shell smithery-ai-cli-407ac3b/src/utils/client.ts :1
import { exec } from "node:child_process" - shell smithery-ai-cli-407ac3b/src/utils/runtime.ts :1
import { exec } from "node:child_process"
network 9
- net smithery-ai-cli-407ac3b/src/commands/homepage.ts :166
const res = await fetch(`http://127.0.0.1:${port}`, { - net smithery-ai-cli-407ac3b/src/commands/mcp/api.ts :198
const response = await fetch(dynamicMcpUrl(this.namespace, connectionId), { - net smithery-ai-cli-407ac3b/src/commands/mcp/uplink-target.ts :2
import { isIP } from "node:net" - net smithery-ai-cli-407ac3b/src/commands/run/stdio-runner.ts :74
await fetch(ANALYTICS_ENDPOINT, { - net smithery-ai-cli-407ac3b/src/lib/cli-auth.ts :114
const response = await fetch(sessionUrl, { - net smithery-ai-cli-407ac3b/src/lib/mcpb.ts :67
return fetch(bundleUrl) - net smithery-ai-cli-407ac3b/src/lib/registry.ts :63
await fetch(ANALYTICS_ENDPOINT, { - net smithery-ai-cli-407ac3b/src/runtime/shttp-bootstrap.ts :17
fetch(request: Request): Promise<Response> - net smithery-ai-cli-407ac3b/src/utils/analytics.ts :180
await fetch(ANALYTICS_ENDPOINT, {
secrets 2
- secrets smithery-ai-cli-407ac3b/src/lib/registry.ts :53
const apiKey = process.env.SMITHERY_API_KEY - secrets smithery-ai-cli-407ac3b/src/utils/smithery-settings.ts :231
if (process.env.SMITHERY_API_KEY) {
install hooks 1
- postinstall smithery-ai-cli-407ac3b/package.json :14
node scripts/postinstall.js
declared dependencies 34
- @anthropic-ai/mcpb@^1.1.1
- @biomejs/biome@2.3.10
- @modelcontextprotocol/sdk@^1.25.3
- @smithery/api@^0.67.0
- @smithery/sdk@^4.1.0
- @types/inquirer@^8.2.4
- @types/inquirer-autocomplete-prompt@^3.0.3
- @types/node@^20.19.27
- @types/ws@^8.18.1
- commander@^14.0.0
- comment-json@^4.5.1
- dotenv@^17.2.2
- es-toolkit@^1.0.0
- esbuild@^0.27.0
- fflate@^0.8.2
- flexsearch@^0.7.43
- inquirer@^8.2.4
- inquirer-autocomplete-prompt@^2.0.0
- keytar@^7.9.0
- knip@^5.80.0
- miniflare@^4.20260103.0
- picocolors@^1.1.0
- shx@^0.4.0
- tinyglobby@^0.2.0
- tsx@^4.19.2
- typescript@^5.9.3
- uuid@^11.1.0
- uuidv7@^1.0.2
- vitest@^3.2.4
- ws@^8.20.0
- yaml@^2.3.4
- yocto-spinner@^0.2.0
- zod@^4
- zod-to-json-schema@^3.25.1