A command line tool for setting up Shopify Dev MCP server
Drift inferred · capture-to-capture
- HIGH code analysis flagged dynamic code execution in @shopify/dev-mcp
transport stdio counts 0 tools · 0 res
· 0 prompts
permission surface via code analysis
no tools enumerated yet for this server.
prompt-surface
shipped agent-instruction files + hidden-content / dangerous-code findings —
quoted from the analyzed source
analyzed v1.14.0 · analyzer v18 · 10h ago
danger signals1
- dynamic code executionnew Function()package/dist/index.js:7990
const H = new Function(`${r.default.self}`, `${r.default.scope}`, Z)(this, this.scope.get());
evidence-backed
findings quoted directly from the published source artifact — not inferred
filesystem 2
- fs package/dist/index-BynC56Ll.js :4
import { readFileSync as Ge, existsSync as ue, readdirSync as nr } from "fs"; - fs package/dist/tools.js :3
import { readFileSync as f } from "fs";
network 1
- net package/dist/index-BynC56Ll.js :3768
const i = await fetch(n.toString(), {
declared dependencies 28
- @modelcontextprotocol/sdk@1.29.0
- @react-router/dev@7.15.1
- @shopify/app-bridge-types@0.7.0
- @shopify/cli@>=3.93.1
- @shopify/hydrogen@2026.1.3
- @shopify/hydrogen-react@2026.1.2
- @shopify/polaris-types@1.0.1
- @shopify/theme-check-common@3.24.0
- @shopify/theme-check-docs-updater@3.24.0
- @shopify/theme-check-node@3.24.0
- graphql@16.13.2
- @types/react@19.2.14
- preact@10.28.4
- react-router@7.15.1
- schema-dts@1.1.5
- toml@3.0.0
- type-fest@5.5.0
- typescript@5.9.3
- zod@4.3.6
- @types/node@25.3.3
- @vitest/coverage-v8@4.1.0
- prettier@3.8.1
- tiktoken@1.0.22
- vite@6.4.2
- vite-plugin-dts@4.5.4
- vitest@4.1.5
- yaml@2.8.3
- @shopify/shopify-dev-tools@1.10.0