MCP Observatory
npm analyzed 0.37.0

@whitenoisenpm/testforge-mcp

v0.37.0
npm

TestForge MCP Server — AI-powered testing in your IDE. Analyzes code for security, unit tests, load, accessibility, vision alignment, scope coverage, and stack quality.

maintainer
whitenoisenpm
license
MIT
first seen
2026-06-10
last seen
2026-06-10
releases · 30d
77
short id

Drift inferred · capture-to-capture

  1. HIGH code analysis flagged dynamic code execution ×4 in @whitenoisenpm/testforge-mcp
capabilities 0 tools
transport stdio · http counts 0 tools · 0 res · 0 prompts permission surface via code analysis

no tools enumerated yet for this server.

code evidence v0.37.0 · npm-tarball
evidence-backed findings quoted directly from the published source artifact — not inferred

filesystem 20

  • fs package/dist/analyzers/accessibility-analyzer.js :1 import { readFileSync, existsSync } from 'fs';
  • fs package/dist/analyzers/code-scanner.js :2 import { readFileSync, existsSync, statSync } from 'fs';
  • fs package/dist/analyzers/k8s-analyzer.js :10 import { readFileSync } from 'fs';
  • fs package/dist/analyzers/lib/coverage.js :7 import { readFileSync } from 'fs';
  • fs package/dist/analyzers/lib/license-audit.js :25 import { readFileSync, existsSync, readdirSync, statSync } from 'fs';
  • fs package/dist/analyzers/lib/osv.js :7 import { readFileSync, existsSync } from 'fs';
  • fs package/dist/analyzers/lib/supply-chain.js :25 import { readFileSync, existsSync } from 'fs';
  • fs package/dist/analyzers/lib/user-rules.js :45 import { readFileSync, existsSync } from 'fs';
  • fs package/dist/analyzers/load-analyzer.js :1 import { readFileSync, existsSync } from 'fs';
  • fs package/dist/analyzers/security-analyzer.js :18 import { readFileSync } from 'fs';
  • fs package/dist/analyzers/unit-analyzer.js :2 import { readFileSync, existsSync } from 'fs';
  • fs package/dist/index.js :13 import { mkdirSync, rmSync, existsSync } from 'fs';
  • fs package/dist/load-env.js :5 import { readFileSync, writeFileSync, mkdirSync, chmodSync, existsSync } from 'fs';
  • fs package/dist/local-db.js :2 import { mkdirSync, existsSync } from 'fs';
  • fs package/dist/runner/docker-runner.js :10 import { mkdirSync, writeFileSync, rmSync, existsSync } from 'fs';
  • fs package/dist/setup.js :10 import { writeFileSync, mkdirSync, existsSync, readFileSync, chmodSync } from 'node:fs';
  • fs package/dist/simulation/compose-sandbox.js :17 import { writeFileSync, rmSync } from 'fs';
  • fs package/dist/simulation/runnable-detect.js :13 import { existsSync, readFileSync, readdirSync } from 'fs';
  • fs package/dist/simulation/wired-unit.js :13 import { writeFileSync, rmSync } from 'fs';
  • fs package/runner/e2e-crawl.mjs :10 import { readFileSync } from 'node:fs';

shell / exec 14

  • shell package/dist/analyzers/lib/fixes.js :28 // • eval / Function ctor / child_process.exec — refactor needs human
  • shell package/dist/analyzers/lib/function-summaries.js :37 { match: (n) => /(?:^|\.)(?:exec|execSync)$/.test(n) && /child_process/.test(n), category: 'Dangerous Functions', argIndex: 0 },
  • shell package/dist/analyzers/lib/py-edge-cases.js :36 import { spawnSync } from 'node:child_process';
  • shell package/dist/analyzers/lib/py-endpoints.js :8 import { spawnSync } from 'node:child_process';
  • shell package/dist/analyzers/lib/py-taint.js :18 import { spawnSync } from 'node:child_process';
  • shell package/dist/analyzers/lib/py-test-quality.js :6 import { spawnSync } from 'node:child_process';
  • shell package/dist/analyzers/security-analyzer.js :355 /* 2. RCE sinks: eval, Function ctor, child_process.exec, setTimeout("…") */
  • shell package/dist/generator/source-wiring.js :13 'assert', 'async_hooks', 'buffer', 'child_process', 'cluster', 'console', 'constants',
  • shell package/dist/index.js :12 import { execSync } from 'child_process';
  • shell package/dist/runner/docker-runner.js :9 import { spawn } from 'child_process';
  • shell package/dist/simulation/e2e-crawl.js :6 import { spawn } from 'child_process';
  • shell package/dist/simulation/e2e-journey.js :6 import { spawn } from 'child_process';
  • shell package/dist/simulation/sandbox.js :14 import { spawn } from 'child_process';
  • shell package/dist/simulation/wired-unit.js :12 import { spawn } from 'child_process';

network 4

  • net package/dist/analyzers/lib/load-patterns.js :102 // fetch(url, { signal: AbortSignal.timeout(N) })
  • net package/dist/analyzers/lib/osv.js :158 const res = await fetch('https://api.osv.dev/v1/querybatch', {
  • net package/dist/analyzers/load-analyzer.js :181 description: 'No `server.timeout`, `axios.create({ timeout })`, or `fetch(url, { signal })` was found. Slow requests can exhaust connections.',
  • net package/dist/index.js :1013 const res = await fetch(`http://localhost:${PORT}/clone-and-analyze`, {

secrets 3

  • secrets package/dist/analyzers/lib/fixes.js :22 // `process.env.PASSWORD`.
  • secrets package/dist/generator/llm-client.js :68 apiKey = process.env.TESTFORGE_LLM_API_KEY || process.env.OPENROUTER_API_KEY;
  • secrets package/dist/index.js :86 const runSecret = process.env.TESTFORGE_RUN_SECRET;

database 1

  • db package/dist/local-db.js :1 import Database from 'better-sqlite3';

declared dependencies 21

  • @ai-sdk/openai@^3.0.65
  • @babel/parser@^7.29.7
  • @babel/traverse@^7.29.7
  • @babel/types@^7.29.7
  • @fastify/cors@^9.0.0
  • @fastify/static@^7.0.4
  • ai@^6.0.191
  • better-sqlite3@^12.10.0
  • chalk@^5.3.0
  • dotenv@^16.4.0
  • fast-json-stringify@^5.16.1
  • fastify@^4.28.0
  • glob@^10.4.0
  • js-yaml@^4.1.1
  • zod@^4.4.3
  • @types/babel__traverse@^7.28.0
  • @types/js-yaml@^4.0.9
  • @types/node@^20.0.0
  • tsx@^4.15.0
  • typescript@^5.4.0
  • vitest@^4.1.7