The MCP framework
Drift inferred · capture-to-capture
No drift recorded — single capability capture; advisories appear once its surface changes.
transport stdio · streamable-http · http counts 0 tools · 0 res
· 0 prompts
permission surface via code analysis
no tools enumerated yet for this server.
prompt-surface
shipped agent-instruction files + hidden-content / dangerous-code findings —
quoted from the analyzed source
analyzed v0.6.11 · analyzer v18 · 9h ago
danger signals1
- dynamic code executionnew Function()package/src/compiler/parse-xmcp-config.ts:173
const func = new Function(
evidence-backed
findings quoted directly from the published source artifact — not inferred
filesystem 24
- fs package/dist/detached-flush.js :1
!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{var n=t();for(var r in n)("object"==typeof export - fs package/dist/index.js :7
deps: ${r}}`};let n={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,r]=function({schema:e}){let t={},r={};for(let s in e)"__proto__"!==s&&((Array.isArray(e[s])?t: - fs package/dist/runtime/adapter-express.js :7
deps: ${a}}`};let o={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,a]=function({schema:e}){let t={},a={};for(let r in e)"__proto__"!==r&&((Array.isArray(e[r])?t: - fs package/dist/runtime/adapter-fastify.js :7
deps: ${a}}`};let o={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,a]=function({schema:e}){let t={},a={};for(let r in e)"__proto__"!==r&&((Array.isArray(e[r])?t: - fs package/dist/runtime/adapter-nestjs.js :7
deps: ${a}}`};let o={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,a]=function({schema:e}){let t={},a={};for(let r in e)"__proto__"!==r&&((Array.isArray(e[r])?t: - fs package/dist/runtime/adapter-nextjs.js :7
deps: ${a}}`};let o={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,a]=function({schema:e}){let t={},a={};for(let r in e)"__proto__"!==r&&((Array.isArray(e[r])?t: - fs package/dist/runtime/stdio.js :7
deps: ${r}}`};let n={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,r]=function({schema:e}){let t={},r={};for(let a in e)"__proto__"!==a&&((Array.isArray(e[a])?t: - fs package/src/cli/commands/create/index.ts :1
import fs from "node:fs"; - fs package/src/compiler/config/injection.ts :1
import { existsSync, readFileSync } from "fs"; - fs package/src/compiler/get-bundler-config/index.ts :29
import fs from "fs"; - fs package/src/compiler/get-bundler-config/resolve-tsconfig-paths.ts :4
import { readFileSync, existsSync } from "fs"; - fs package/src/compiler/index.ts :10
import fs from "fs"; - fs package/src/compiler/parse-xmcp-config.ts :1
import fs from "fs"; - fs package/src/compiler/utils/config-detection.ts :2
import { existsSync } from "node:fs"; - fs package/src/compiler/watcher-recovery.ts :2
import fs from "fs"; - fs package/src/platforms/build-cloudflare-output.ts :2
import fs from "fs"; - fs package/src/platforms/build-vercel-output.ts :2
import fs from "fs"; - fs package/src/runtime/utils/resources.ts :48
const fs = require("fs"); - fs package/src/telemetry/events/detached-flush.ts :6
import { readFileSync, unlinkSync, existsSync } from "fs"; - fs package/src/telemetry/events/tracker.ts :2
import { writeFileSync, mkdirSync } from "fs"; - fs package/src/telemetry/project-id.ts :1
import { readFileSync } from "fs"; - fs package/src/telemetry/storage.ts :8
} from "fs"; - fs package/src/utils/fs-utils.ts :1
import fs from "fs"; - fs package/src/utils/path-validation.ts :3
import fs from "fs";
shell / exec 5
- shell package/dist/index.js :7
deps: ${r}}`};let n={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,r]=function({schema:e}){let t={},r={};for(let s in e)"__proto__"!==s&&((Array.isArray(e[s])?t: - shell package/src/compiler/get-bundler-config/index.ts :64
"child_process", - shell package/src/compiler/start-http-server.ts :3
import { ChildProcess, spawn } from "child_process"; - shell package/src/telemetry/events/tracker.ts :223
const child_process = - shell package/src/utils/spawn-process.ts :7
import { ChildProcess, spawn } from "child_process";
network 16
- net package/dist/detached-flush.js :1
!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{var n=t();for(var r in n)("object"==typeof export - net package/dist/runtime/adapter-express.js :7
deps: ${a}}`};let o={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,a]=function({schema:e}){let t={},a={};for(let r in e)"__proto__"!==r&&((Array.isArray(e[r])?t: - net package/dist/runtime/adapter-fastify.js :7
deps: ${a}}`};let o={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,a]=function({schema:e}){let t={},a={};for(let r in e)"__proto__"!==r&&((Array.isArray(e[r])?t: - net package/dist/runtime/adapter-nestjs.js :7
deps: ${a}}`};let o={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,a]=function({schema:e}){let t={},a={};for(let r in e)"__proto__"!==r&&((Array.isArray(e[r])?t: - net package/dist/runtime/adapter-nextjs.js :7
deps: ${a}}`};let o={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,a]=function({schema:e}){let t={},a={};for(let r in e)"__proto__"!==r&&((Array.isArray(e[r])?t: - net package/src/runtime/adapters/nextjs/handler/error-handler.ts :1
import type { ServerResponse } from "node:http"; - net package/src/runtime/adapters/nextjs/handler/node-to-web-adapter.ts :1
import type { OutgoingHttpHeaders, ServerResponse } from "node:http"; - net package/src/runtime/adapters/nextjs/handler/request-converter.ts :1
import { type IncomingHttpHeaders, IncomingMessage } from "node:http"; - net package/src/runtime/adapters/nextjs/handler/server-lifecycle.ts :2
import type { ServerResponse } from "node:http"; - net package/src/runtime/adapters/nextjs/index.ts :1
import type { ServerResponse } from "node:http"; - net package/src/runtime/platforms/cloudflare/worker.ts :183
async fetch( - net package/src/runtime/transports/http/base-streamable-http.ts :5
import { IncomingMessage, ServerResponse } from "http"; - net package/src/runtime/transports/http/cors/index.ts :2
import { ServerResponse } from "http"; - net package/src/runtime/transports/http/stateless-streamable-http.ts :10
import http, { IncomingMessage, ServerResponse } from "http"; - net package/src/telemetry/events/post-payload.ts :94
const response = await fetch( - net package/src/utils/port-utils.ts :2
import net from "net";
secrets 5
- secrets package/dist/index.js :7
deps: ${r}}`};let n={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,r]=function({schema:e}){let t={},r={};for(let s in e)"__proto__"!==s&&((Array.isArray(e[s])?t: - secrets package/dist/runtime/stdio.js :7
deps: ${r}}`};let n={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){let[t,r]=function({schema:e}){let t={},r={};for(let a in e)"__proto__"!==a&&((Array.isArray(e[a])?t: - secrets package/src/auth/api-key.ts :63
* apiKey: process.env.API_KEY!, - secrets package/src/auth/jwt.ts :16
* secret: process.env.JWT_SECRET!, - secrets package/src/runtime/transports/http/stateless-streamable-http.ts :206
const token = process.env.OPENAI_APPS_VERIFICATION_TOKEN;
declared dependencies 40
- @modelcontextprotocol/sdk@^1.26.0
- @rspack/core@^1.6.7
- jose@^6.1.3
- postcss-loader@^8.2.0
- ts-checker-rspack-plugin@^1.2.1
- typescript@^5.9.3
- @nestjs/common@^11.1.12
- @types/async-retry@^1.4.9
- @types/content-type@^1.1.9
- @types/express@^5.0.6
- @types/fs-extra@^11.0.4
- @types/jsonwebtoken@^9.0.10
- @types/node@^22.19.2
- @types/react@^19.2.7
- @types/react-dom@^19.2.3
- async-retry@^1.3.3
- chalk@^5.6.2
- chokidar@^3.6.0
- ci-info@^4.3.1
- commander@^11.1.0
- content-type@^1.0.5
- cross-env@^7.0.3
- del@^7.1.0
- dotenv@^16.6.1
- express@^4.22.1
- fastify@^5.0.0
- fs-extra@^11.3.2
- glob@^11.1.0
- is-docker@^4.0.0
- is-wsl@^3.1.0
- json5@^2.2.3
- jsonwebtoken@^9.0.3
- memfs@^4.51.1
- raw-body@^3.0.2
- reflect-metadata@^0.2.2
- rxjs@^7.8.2
- tsx@^4.21.0
- react@>=19.0.0
- react-dom@>=19.0.0
- zod@^3.25.76 || ^4.0.0