Open-source control plane for your AI agents. Connect tools, hire agents, track every token and dollar
Drift inferred · capture-to-capture
- HIGH code analysis flagged dynamic code execution in decocms/studio
- HIGH code analysis flagged dynamic code execution in decocms/studio
- HIGH code analysis flagged dynamic code execution in decocms/studio
- HIGH code analysis flagged dynamic code execution in decocms/studio
- HIGH code analysis flagged dynamic code execution in decocms/studio
- HIGH code analysis flagged dynamic code execution in decocms/studio
- HIGH code analysis flagged dynamic code execution in decocms/studio
- HIGH code analysis flagged dynamic code execution in decocms/studio
transport streamable-http · http counts 0 tools · 0 res
· 0 prompts
permission surface via code analysis
no tools enumerated yet for this server.
prompt-surface
shipped agent-instruction files + hidden-content / dangerous-code findings —
quoted from the analyzed source
analyzed v3.31.1 · analyzer v18 · 1h ago
skills & prompt files 16
- skilldecocms-studio-8431cca/.cursor/skills/add-mcp-tools/SKILL.md
- skilldecocms-studio-8431cca/.cursor/skills/commit/SKILL.md
- skilldecocms-studio-8431cca/.cursor/skills/respond-to-pr-review/SKILL.md
- skilldecocms-studio-8431cca/.cursor/skills/review-plan/SKILL.md
- skilldecocms-studio-8431cca/.cursor/skills/review-pr/SKILL.md
- agent-rulesdecocms-studio-8431cca/AGENTS.md
- agent-rulesdecocms-studio-8431cca/apps/docs/client/src/content/deco-studio/en/studio/agents.mdx
- agent-rulesdecocms-studio-8431cca/apps/docs/client/src/content/deco-studio/pt-br/studio/agents.mdx
- agent-rulesdecocms-studio-8431cca/packages/mesh-plugin-workflows/CLAUDE.md
- skilldecocms-studio-8431cca/packages/sandbox/image/skills/docx/SKILL.md
- skilldecocms-studio-8431cca/packages/sandbox/image/skills/file-reading/SKILL.md
- skilldecocms-studio-8431cca/packages/sandbox/image/skills/pdf/SKILL.md
- skilldecocms-studio-8431cca/packages/sandbox/image/skills/pptx/SKILL.md
- skilldecocms-studio-8431cca/packages/sandbox/image/skills/slides/SKILL.md
- skilldecocms-studio-8431cca/packages/sandbox/image/skills/templating/SKILL.md
- skilldecocms-studio-8431cca/packages/sandbox/image/skills/xlsx/SKILL.md
evidence-backed
findings quoted directly from the published source artifact — not inferred
last analysis: too-large · showing evidence from the last successful analysis (12h ago)
filesystem 24
- fs decocms-studio-8431cca/apps/mesh/scripts/bundle-server-script.ts :15
import { cp, mkdir, readFile, rm, stat } from "fs/promises"; - fs decocms-studio-8431cca/apps/mesh/scripts/generate-migrations.ts :12
import { readdir, writeFile } from "node:fs/promises"; - fs decocms-studio-8431cca/apps/mesh/scripts/smoke-tarball.ts :28
import { mkdtemp, writeFile } from "fs/promises"; - fs decocms-studio-8431cca/apps/mesh/src/api/routes/dev-assets-mcp.ts :31
import { mkdir, readdir, rm, stat } from "node:fs/promises"; - fs decocms-studio-8431cca/apps/mesh/src/api/routes/dev-assets.ts :16
import { mkdir, writeFile } from "node:fs/promises"; - fs decocms-studio-8431cca/apps/mesh/src/api/routes/org-fs.ts :447
await r.fs.mkdir(volume, c.req.query("path") ?? "", { - fs decocms-studio-8431cca/apps/mesh/src/auth/dev-link-session.ts :23
import { existsSync } from "node:fs"; - fs decocms-studio-8431cca/apps/mesh/src/cli/commands/completion.ts :4
import { writeFile } from "fs/promises"; - fs decocms-studio-8431cca/apps/mesh/src/cli/commands/init.ts :4
import { existsSync, readdirSync } from "fs"; - fs decocms-studio-8431cca/apps/mesh/src/cli/commands/link.ts :14
import { closeSync, mkdirSync, openSync, writeSync } from "node:fs"; - fs decocms-studio-8431cca/apps/mesh/src/cli/lib/session.ts :9
} from "node:fs/promises"; - fs decocms-studio-8431cca/apps/mesh/src/core/config.ts :6
import { existsSync, readFileSync } from "fs"; - fs decocms-studio-8431cca/apps/mesh/src/index.ts :70
import { existsSync } from "fs"; - fs decocms-studio-8431cca/apps/mesh/src/link-daemon/ensure-rclone.ts :9
import { existsSync, mkdirSync } from "node:fs"; - fs decocms-studio-8431cca/apps/mesh/src/link-daemon/machine-id.ts :14
import { mkdir, readFile, writeFile } from "node:fs/promises"; - fs decocms-studio-8431cca/apps/mesh/src/link-daemon/outbox.ts :20
import { mkdirSync } from "node:fs"; - fs decocms-studio-8431cca/apps/mesh/src/link-daemon/user-desktop-provider.ts :20
import { mkdir } from "node:fs/promises"; - fs decocms-studio-8431cca/apps/mesh/src/monitoring/ndjson-exporter.ts :3
import { mkdir, rename, writeFile } from "node:fs/promises"; - fs decocms-studio-8431cca/apps/mesh/src/monitoring/ndjson-retention.ts :1
import { readdir, rm } from "node:fs/promises"; - fs decocms-studio-8431cca/apps/mesh/src/object-storage/dev-object-storage.ts :12
import type { Dirent } from "node:fs"; - fs decocms-studio-8431cca/apps/mesh/src/services/ensure-services.ts :19
} from "fs"; - fs decocms-studio-8431cca/packages/runtime/scripts/generate-json-schema.ts :2
import { writeFileSync } from "node:fs"; - fs decocms-studio-8431cca/packages/runtime/src/trigger-storage.ts :156
const raw = await fs.readFile(this.path, "utf-8"); - fs decocms-studio-8431cca/packages/typegen/src/cli.ts :5
import { writeFile } from "node:fs/promises";
shell / exec 3
- shell decocms-studio-8431cca/apps/mesh/scripts/bundle-server-script.ts :665
"child_process", - shell decocms-studio-8431cca/apps/mesh/src/cli/commands/auth/login.ts :1
import { spawn } from "node:child_process"; - shell decocms-studio-8431cca/packages/create-deco/index.js :10
const { spawn } = require("child_process");
network 92
- net decocms-studio-8431cca/apps/mesh/scripts/smoke-link.ts :26
const res = await fetch(`${baseUrl}/api/links/me`, { - net decocms-studio-8431cca/apps/mesh/src/ai-providers/adapters/deco-ai-gateway.ts :25
const res = await fetch(`${getBase()}/api/credits/checkout`, { - net decocms-studio-8431cca/apps/mesh/src/ai-providers/adapters/google.ts :92
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/ai-providers/adapters/openai-compatible.ts :58
const res = await fetch(`${baseUrl}/models`, { - net decocms-studio-8431cca/apps/mesh/src/ai-providers/adapters/openrouter.ts :37
const res = await fetch("https://openrouter.ai/api/v1/auth/keys", { - net decocms-studio-8431cca/apps/mesh/src/ai-providers/factory.ts :75
const res = await fetch("https://openrouter.ai/api/v1/models", { - net decocms-studio-8431cca/apps/mesh/src/api/app.ts :600
const response = await fetch(targetUrl.toString(), { - net decocms-studio-8431cca/apps/mesh/src/api/routes/deco-apps.ts :54
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/api/routes/deco-sites.ts :33
const res = await fetch(`${supabaseUrl}/rest/v1/${path}`, { - net decocms-studio-8431cca/apps/mesh/src/api/routes/decopilot/link-work-routes.ts :129
// consumer.fetch() returns Promise<ConsumerMessages> (a QueuedIterator<JsMsg>). - net decocms-studio-8431cca/apps/mesh/src/api/routes/files.ts :122
const upstream = await fetch(presignedUrl, { headers: upstreamHeaders }); - net decocms-studio-8431cca/apps/mesh/src/api/routes/oauth-proxy.ts :582
return fetch(url, { ...init, signal: AbortSignal.timeout(timeoutMs) }); - net decocms-studio-8431cca/apps/mesh/src/api/routes/org-sso.ts :220
const tokenResponse = await fetch(discovery.token_endpoint, { - net decocms-studio-8431cca/apps/mesh/src/api/routes/registry/public-mcp-server.ts :219
return await mcpServer.fetch(newRequest, env, c); - net decocms-studio-8431cca/apps/mesh/src/api/routes/sandbox-proxy.ts :621
// -- Preview fetch (CORS proxy) ------------------------------------------- - net decocms-studio-8431cca/apps/mesh/src/auth/extract-brand.ts :44
const response = await fetch("https://api.firecrawl.dev/v1/scrape", { - net decocms-studio-8431cca/apps/mesh/src/auth/known-email-providers.ts :16
const response = await fetch("https://api.resend.com/emails", { - net decocms-studio-8431cca/apps/mesh/src/cli/commands/link.ts :90
res = await fetch(`${clusterBaseUrl}/api/links/me`, { - net decocms-studio-8431cca/apps/mesh/src/cli/find-available-port.ts :1
import { createServer } from "net"; - net decocms-studio-8431cca/apps/mesh/src/cli/lib/oauth-callback.ts :41
fetch(req) { - net decocms-studio-8431cca/apps/mesh/src/cli/lib/port-wait.ts :1
import { createServer } from "node:net"; - net decocms-studio-8431cca/apps/mesh/src/file-storage/mount/client.ts :18
/** Override fetch (tests point this at an in-process Hono app). */ - net decocms-studio-8431cca/apps/mesh/src/file-storage/skill-set-sync.ts :113
const res = await fetch(url, { signal: AbortSignal.timeout(60_000) }); - net decocms-studio-8431cca/apps/mesh/src/index.ts :204
return app.fetch(request, { server }); - net decocms-studio-8431cca/apps/mesh/src/link-daemon/ensure-rclone.ts :42
const res = await fetch(url); - net decocms-studio-8431cca/apps/mesh/src/link-daemon/local-ingress.ts :65
async fetch(req, srv) { - net decocms-studio-8431cca/apps/mesh/src/link-daemon/user-desktop-provider.ts :21
import { createServer } from "node:net"; - net decocms-studio-8431cca/apps/mesh/src/mcp-clients/lazy-client.ts :217
const result = await readCache.fetch({ - net decocms-studio-8431cca/apps/mesh/src/mcp-clients/mcp-read-cache.ts :201
async fetch(params: { - net decocms-studio-8431cca/apps/mesh/src/oauth/refresh-access-token.ts :89
const response = await fetch(token.tokenEndpoint, { - net decocms-studio-8431cca/apps/mesh/src/services/ensure-services.ts :23
import { createConnection, createServer } from "net"; - net decocms-studio-8431cca/apps/mesh/src/shared/github-clone-info.ts :94
const res = await fetch("https://api.github.com/user", { - net decocms-studio-8431cca/apps/mesh/src/shared/github-runtime-detect.ts :129
const res = await fetch(url, { - net decocms-studio-8431cca/apps/mesh/src/storage/connection.ts :407
const response = await fetch(connection.connection_url, { - net decocms-studio-8431cca/apps/mesh/src/storage/threads.ts :171
* org-scoped thread fetch (R23) — the part storage itself is not org-bound. - net decocms-studio-8431cca/apps/mesh/src/tools/github/list-user-orgs.ts :100
fetch( - net decocms-studio-8431cca/apps/mesh/src/tools/registry/discover-tools.ts :117
const res = await fetch(url, { - net decocms-studio-8431cca/apps/mesh/src/tools/virtual/delete.ts :90
await fetch("https://api.github.com/installation/token", { - net decocms-studio-8431cca/apps/mesh/src/web/components/auto-domain-join-screen.tsx :23
const res = await fetch("/api/auth/custom/domain-join", { - net decocms-studio-8431cca/apps/mesh/src/web/components/automations/webhook-secret-dialog.tsx :80
? `await fetch("${effectiveUrl}", {\n method: "POST",\n headers: {\n Authorization: "Bearer ${token}",\n "Content-Type": "application/json",\n },\n body: JSON.stringify({ hello: "world" }),\ - net decocms-studio-8431cca/apps/mesh/src/web/components/chat/chat-context.tsx :1066
const res = await fetch(`/api/${org.slug}/decopilot/cancel/${taskId}`, { - net decocms-studio-8431cca/apps/mesh/src/web/components/chat/message/parts/tool-call-part/subtask.tsx :149
* Suspends on the agent fetch (useVirtualMCP). MUST be wrapped in - net decocms-studio-8431cca/apps/mesh/src/web/components/chat/message/parts/tool-call-part/web-search.tsx :191
const res = await fetch(blobUrl!); - net decocms-studio-8431cca/apps/mesh/src/web/components/chat/store/thread-connection.ts :603
resp = await fetch(url, { - net decocms-studio-8431cca/apps/mesh/src/web/components/chat/use-thread-outputs.ts :36
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/components/deck/use-deck-editor.ts :208
const res = await fetch(args.readUrl, { credentials: "include" }); - net decocms-studio-8431cca/apps/mesh/src/web/components/details/connection/index.tsx :319
const response = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/components/file-preview.tsx :16
* Text-ish fetches go through `fetch(credentials: "include")`; if that - net decocms-studio-8431cca/apps/mesh/src/web/components/home/tile-board/board-layout-store.ts :77
const res = await fetch(`/api/${orgSlug}/kv/${KV_KEY}`, { - net decocms-studio-8431cca/apps/mesh/src/web/components/import-from-deco-dialog.tsx :49
const res = await fetch(`/api/${orgSlug}/deco-sites`); - net decocms-studio-8431cca/apps/mesh/src/web/components/sections-editor/use-decofile.ts :22
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/components/sections-editor/use-delete-block.ts :27
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/components/sections-editor/use-live-meta.ts :29
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/components/sections-editor/use-save-block.ts :33
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/components/sidebar/agents-section.tsx :83
const res = await fetch("/api/deco-sites/profile"); - net decocms-studio-8431cca/apps/mesh/src/web/components/sidebar/task-groups/show-more-button.tsx :11
* determines there are more pages to fetch (`hasMore || isFetching`). - net decocms-studio-8431cca/apps/mesh/src/web/components/thread/github/sandbox-git-api.ts :95
return fetch(url, { cache: "no-store", ...init }); - net decocms-studio-8431cca/apps/mesh/src/web/hooks/registry/use-image-upload.ts :78
const uploadResponse = await fetch(presignedUrl, { - net decocms-studio-8431cca/apps/mesh/src/web/hooks/use-auto-install-github.ts :126
const response = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/hooks/use-capability.ts :52
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/hooks/use-deco-apps-catalog.ts :11
const res = await fetch("/api/deco-apps"); - net decocms-studio-8431cca/apps/mesh/src/web/hooks/use-file-picker.ts :86
const response = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/hooks/use-home-next-actions.ts :45
const res = await fetch(`/api/${orgSlug}/home-next-actions`, { - net decocms-studio-8431cca/apps/mesh/src/web/hooks/use-org-access-status.ts :27
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/hooks/use-org-fs.ts :64
const res = await fetch(url, init); - net decocms-studio-8431cca/apps/mesh/src/web/hooks/use-org-sso.ts :24
const response = await fetch(`/api/${orgSlug}/sso/status`); - net decocms-studio-8431cca/apps/mesh/src/web/hooks/use-public-config.ts :13
const response = await fetch("/api/config"); - net decocms-studio-8431cca/apps/mesh/src/web/hooks/use-registry-app.ts :19
* @param options.enabled - Whether to fetch (default: true). Pass `false` to defer. - net decocms-studio-8431cca/apps/mesh/src/web/layouts/library/cards.tsx :318
const res = await fetch(skillMdUrl, { credentials: "include" }); - net decocms-studio-8431cca/apps/mesh/src/web/layouts/library/skill-preview-dialog.tsx :45
const res = await fetch(skillMdUrl, { credentials: "include" }); - net decocms-studio-8431cca/apps/mesh/src/web/lib/provision-repo-scoped-github-connection.ts :164
const tokenRes = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/lib/studio-tools.ts :35
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/providers/theme-provider.tsx :18
const response = await fetch("/api/config"); - net decocms-studio-8431cca/apps/mesh/src/web/routes/login.tsx :24
res = await fetch("/api/auth/custom/local-session", { - net decocms-studio-8431cca/apps/mesh/src/web/routes/onboarding.tsx :171
const res = await fetch("/api/auth/custom/domain-lookup", { - net decocms-studio-8431cca/apps/mesh/src/web/routes/orgs/connections.tsx :858
const response = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/views/registry/monitor-connections-panel.tsx :175
const res = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/views/virtual-mcp/add-connection-dialog.tsx :719
const response = await fetch( - net decocms-studio-8431cca/apps/mesh/src/web/views/virtual-mcp/index.tsx :303
const res = await fetch(userinfoEndpoint, { - net decocms-studio-8431cca/packages/bindings/src/core/client/mcp-client.ts :109
return fetch(req, { - net decocms-studio-8431cca/packages/mesh-sdk/src/hooks/use-connection.ts :97
* @param connectionId - The ID of the connection to fetch (undefined returns null without making an API call) - net decocms-studio-8431cca/packages/mesh-sdk/src/hooks/use-mcp-resources.ts :186
const res = await fetch(url, { credentials: "include" }); - net decocms-studio-8431cca/packages/mesh-sdk/src/hooks/use-virtual-mcp.ts :83
* @param virtualMcpId - The ID of the virtual MCP to fetch (null/undefined for default virtual MCP) - net decocms-studio-8431cca/packages/mesh-sdk/src/lib/mcp-oauth.ts :757
const response = await fetch(url, { - net decocms-studio-8431cca/packages/mesh-sdk/src/lib/rest-self-client.ts :61
res = await fetch(toUrl(`/tools/${encodeURIComponent(params.name)}`), { - net decocms-studio-8431cca/packages/runtime/src/asset-server/index.ts :164
* return await handleAssets(request) ?? app.fetch(request); - net decocms-studio-8431cca/packages/runtime/src/client.ts :41
const response = await fetch(`/mcp/call-tool/${String(prop)}`, { - net decocms-studio-8431cca/packages/runtime/src/decopilot.ts :133
const response = await fetch(streamUrl, { - net decocms-studio-8431cca/packages/runtime/src/index.ts :359
return server.fetch(req, env, ctx); - net decocms-studio-8431cca/packages/runtime/src/trigger-storage.ts :56
const res = await fetch( - net decocms-studio-8431cca/packages/runtime/src/triggers.ts :289
fetch(credentials.callbackUrl, { - net decocms-studio-8431cca/packages/ui/src/lib/github.ts :119
const response = await fetch(
secrets 8
- secrets decocms-studio-8431cca/apps/mesh/src/api/routes/public-config.ts :68
const key = process.env.POSTHOG_KEY; - secrets decocms-studio-8431cca/apps/mesh/src/index.ts :140
const conductorKey = process.env.DBOS_CONDUCTOR_KEY?.trim(); - secrets decocms-studio-8431cca/apps/mesh/src/posthog.ts :16
const apiKey = process.env.POSTHOG_KEY; - secrets decocms-studio-8431cca/packages/runtime/src/trigger-storage.ts :35
* apiKey: process.env.MESH_API_KEY!, - secrets decocms-studio-8431cca/packages/typegen/src/cli.ts :31
apiKey: get("--key") ?? process.env.MESH_API_KEY, - secrets decocms-studio-8431cca/packages/typegen/src/codegen.ts :205
apiKey: process.env.MESH_API_KEY, - secrets decocms-studio-8431cca/packages/typegen/src/index.ts :14
/** Falls back to process.env.MESH_API_KEY */ - secrets decocms-studio-8431cca/packages/typegen/src/runtime.ts :28
const apiKey = opts.apiKey ?? process.env.MESH_API_KEY;
database 3
- db decocms-studio-8431cca/apps/mesh/src/api/app.ts :185
import type { Pool, PoolClient } from "pg"; - db decocms-studio-8431cca/apps/mesh/src/automations/dbos-workflow.ts :39
import type { Pool } from "pg"; - db decocms-studio-8431cca/apps/mesh/src/database/index.ts :10
import { Pool } from "pg";
declared dependencies 10
- @biomejs/biome@2.2.5
- @types/bun@^1.3.1
- @types/node@^24.9.1
- @types/react@^19.2.14
- @types/react-dom@^19.2.3
- knip@^5.83.1
- oxlint@1.23.0
- react@^19.2.6
- typescript@^5.9.3
- worktree-devservers@0.3.1
cursor-plugin 2
- opaque (low) decocms-studio-8431cca/.cursor/skills/add-mcp-tools/SKILL.md
bundled .cursor/ plugin descriptor (decocms-studio-8431cca/.cursor/skills/add-mcp-tools/SKILL.md) — presence-detected; review the descriptor - opaque (low) decocms-studio-8431cca/.cursor/worktrees.json
bundled .cursor/ plugin descriptor (decocms-studio-8431cca/.cursor/worktrees.json) — presence-detected; review the descriptor