npm - @agentsid/scanner - Versions diffs - 0.1.0 - Mend

@agentsid/scanner 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (116) hide show

package/README.md +205 -0
package/action/action.yml +42 -0
package/action/index.mjs +179 -0
package/docs/state-of-agent-security-2026.md +377 -0
package/examples/security-scan.yml +57 -0
package/package.json +37 -0
package/reports/aashari-mcp-server-atlassian-confluence.json +110 -0
package/reports/aashari-mcp-server-atlassian-jira.json +138 -0
package/reports/aashari-mcp-server-aws-sso.json +122 -0
package/reports/agentdeskai-browser-tools-mcp.json +361 -0
package/reports/ahmetkca-mcp-server-postgres.json +43 -0
package/reports/aiondadotcom-mcp-ssh.json +166 -0
package/reports/apify-actors-mcp-server.json +43 -0
package/reports/azure-mcp.json +43 -0
package/reports/boilerplate-mcp-tool.json +43 -0
package/reports/browserstack-mcp-server.json +43 -0
package/reports/canvas-mcp-server.json +43 -0
package/reports/canvas-mcp-tool.json +43 -0
package/reports/chrome-devtools-mcp.json +300 -0
package/reports/chrome-local-mcp.json +222 -0
package/reports/claude-flow-mcp.json +43 -0
package/reports/cloudflare-mcp-server.json +43 -0
package/reports/code-canvas-server.json +43 -0
package/reports/cognitionai-metabase-mcp-server.json +43 -0
package/reports/composio-mcp.json +43 -0
package/reports/contentful-mcp-server.json +43 -0
package/reports/dbhub.json +43 -0
package/reports/desktop-commander.json +43 -0
package/reports/dynatrace-oss-dynatrace-mcp-server.json +43 -0
package/reports/e2b-mcp-server.json +67 -0
package/reports/eslint-mcp.json +51 -0
package/reports/european-parliament-mcp-server.json +1467 -0
package/reports/exa-mcp-server.json +74 -0
package/reports/executeautomation-playwright-mcp-server.json +418 -0
package/reports/fast-kit-spec-kit.json +43 -0
package/reports/felores-airtable-mcp-server.json +43 -0
package/reports/figma-mcp.json +103 -0
package/reports/forestadmin-mcp-server.json +43 -0
package/reports/fullrun-mcp.json +43 -0
package/reports/gemini-mcp-tool.json +43 -0
package/reports/gitlab-mcp-agent-server.json +186 -0
package/reports/grackle-ai-mcp.json +43 -0
package/reports/heroku-mcp-server.json +333 -0
package/reports/hisma-server-puppeteer.json +93 -0
package/reports/hubspot-mcp-server.json +43 -0
package/reports/hyper-mcp-shell.json +59 -0
package/reports/iflow-mcp-server-github.json +327 -0
package/reports/jpisnice-shadcn-ui-mcp-server.json +149 -0
package/reports/jsonresume-mcp.json +43 -0
package/reports/mapbox-mcp-server.json +43 -0
package/reports/mcp-framework.json +43 -0
package/reports/mcp-from-openapi.json +43 -0
package/reports/mcp-handler.json +43 -0
package/reports/mcp-proxy.json +43 -0
package/reports/mcp-server-docker.json +59 -0
package/reports/mcp-server-github-gist.json +108 -0
package/reports/mcp-server-google-calendar.json +43 -0
package/reports/mcp-server-jira-cloud.json +43 -0
package/reports/mcp-server-kubernetes.json +43 -0
package/reports/mcp-server-slack.json +411 -0
package/reports/mcp-server-sqlite-npx.json +43 -0
package/reports/mcp-server.json +43 -0
package/reports/mcp-starter.json +59 -0
package/reports/mcp-tool-lint.json +43 -0
package/reports/mcporter.json +43 -0
package/reports/mcptoolshop-mcp-tool-registry.json +43 -0
package/reports/microsoft-devbox-mcp.json +43 -0
package/reports/mobilenext-mobile-mcp.json +214 -0
package/reports/modelcontextprotocol-server-brave-search.json +43 -0
package/reports/modelcontextprotocol-server-everything.json +165 -0
package/reports/modelcontextprotocol-server-fetch.json +43 -0
package/reports/modelcontextprotocol-server-filesystem.json +259 -0
package/reports/modelcontextprotocol-server-github.json +391 -0
package/reports/modelcontextprotocol-server-memory.json +117 -0
package/reports/modelcontextprotocol-server-postgres.json +43 -0
package/reports/modelcontextprotocol-server-puppeteer.json +101 -0
package/reports/modelcontextprotocol-server-sequential-thinking.json +67 -0
package/reports/mongodb-mcp-server.json +43 -0
package/reports/mseep-linear-mcp-server.json +43 -0
package/reports/mseep-mcp-server-sqlite-npx.json +43 -0
package/reports/n8n-mcp.json +123 -0
package/reports/notepost-mcp.json +43 -0
package/reports/notionhq-notion-mcp-server.json +220 -0
package/reports/nx-mcp.json +59 -0
package/reports/obsidian-mcp-server.json +43 -0
package/reports/opengraph-io-mcp.json +130 -0
package/reports/payloadcms-plugin-mcp.json +43 -0
package/reports/peac-mappings-mcp.json +43 -0
package/reports/playwright-mcp.json +236 -0
package/reports/puppeteer-mcp-server.json +43 -0
package/reports/railway-mcp-server.json +194 -0
package/reports/razorpay-blade-mcp.json +182 -0
package/reports/rekog-mcp-nest.json +43 -0
package/reports/remotion-mcp.json +51 -0
package/reports/rollbar-mcp-server.json +43 -0
package/reports/sap-ux-fiori-mcp-server.json +80 -0
package/reports/sentry-mcp-server.json +43 -0
package/reports/server-filesystem.json +43 -0
package/reports/server-memory.json +43 -0
package/reports/shortcut-mcp.json +43 -0
package/reports/supabase-mcp-server-supabase.json +43 -0
package/reports/tavily-mcp.json +79 -0
package/reports/thelord-mcp-server-docker-npx.json +43 -0
package/reports/tyk-technologies-api-to-mcp.json +43 -0
package/reports/tyk-technologies-tyk-dashboard-mcp.json +43 -0
package/reports/ui5-mcp-server.json +157 -0
package/reports/upstash-context7-mcp.json +82 -0
package/reports/vantasdk-vanta-mcp-server.json +43 -0
package/reports/winor30-mcp-server-datadog.json +43 -0
package/reports/wonderwhy-er-desktop-commander.json +43 -0
package/reports/xzxzzx-bilibili-mcp.json +58 -0
package/src/grader.mjs +66 -0
package/src/index.mjs +108 -0
package/src/reporter.mjs +158 -0
package/src/rules.mjs +363 -0
package/src/scanner.mjs +208 -0

package/src/scanner.mjs ADDED Viewed

@@ -0,0 +1,208 @@
+/**
+ * MCP Server Scanner — connects to an MCP server, enumerates tools,
+ * and runs security analysis across all rule categories.
+ *
+ * Supports stdio and HTTP transport modes.
+ */
+import { spawn } from "child_process";
+import {
+  scanToolDescriptions,
+  scanToolNames,
+  scanInputSchemas,
+  scanAuthIndicators,
+  scanOutputSafety,
+  scanHallucinationRisks,
+} from "./rules.mjs";
+import { grade } from "./grader.mjs";
+import { formatTerminalReport, formatJsonReport } from "./reporter.mjs";
+/**
+ * Scan an MCP server by spawning it as a subprocess (stdio transport).
+ * @param {string} command — Command to start the server (e.g., "npx @some/mcp-server")
+ * @param {object} options — { env, timeout, json }
+ */
+export async function scanStdio(command, options = {}) {
+  const { env = {}, timeout = 30000, json = false } = options;
+  const parts = command.split(/\s+/);
+  const proc = spawn(parts[0], parts.slice(1), {
+    env: { ...process.env, ...env },
+    stdio: ["pipe", "pipe", "pipe"],
+  });
+  const result = await communicateWithServer(proc, timeout);
+  proc.kill();
+  return generateReport(result.serverInfo, result.tools, json);
+}
+/**
+ * Scan an MCP server by connecting over HTTP (streamable HTTP transport).
+ * @param {string} url — Server URL
+ * @param {object} options — { headers, timeout, json }
+ */
+export async function scanHttp(url, options = {}) {
+  const { headers = {}, timeout = 30000, json = false } = options;
+  // For HTTP transport, we send JSON-RPC over HTTP
+  const initResponse = await fetchRpc(url, "initialize", {
+    protocolVersion: "2024-11-05",
+    capabilities: {},
+    clientInfo: { name: "agentsid-scanner", version: "0.1.0" },
+  }, headers, timeout);
+  const serverInfo = initResponse?.result?.serverInfo || { name: "unknown", version: "?" };
+  // Send initialized notification
+  await fetchRpc(url, "notifications/initialized", {}, headers, timeout);
+  // List tools
+  const toolsResponse = await fetchRpc(url, "tools/list", {}, headers, timeout);
+  const tools = toolsResponse?.result?.tools || [];
+  return generateReport(serverInfo, tools, json);
+}
+/**
+ * Scan from a tool definition list (no server connection needed).
+ * Useful for scanning tool configs or package.json MCP definitions.
+ * @param {Array} tools — Array of tool definition objects
+ * @param {object} options — { serverName, json }
+ */
+export function scanToolDefinitions(tools, options = {}) {
+  const { serverName = "static-analysis", json = false } = options;
+  const serverInfo = { name: serverName, version: "static" };
+  return generateReport(serverInfo, tools, json);
+}
+// ─── Internal ───
+async function communicateWithServer(proc, timeout) {
+  return new Promise((resolve, reject) => {
+    let buf = "";
+    const responses = {};
+    proc.stdout.on("data", (data) => {
+      buf += data.toString();
+      while (buf.includes("\n")) {
+        const idx = buf.indexOf("\n");
+        const line = buf.substring(0, idx);
+        buf = buf.substring(idx + 1);
+        try {
+          const msg = JSON.parse(line);
+          if (msg.id) responses[msg.id] = msg;
+        } catch {}
+      }
+    });
+    proc.stderr.on("data", () => {}); // Suppress stderr
+    // Send initialize
+    proc.stdin.write(JSON.stringify({
+      jsonrpc: "2.0",
+      method: "initialize",
+      params: {
+        protocolVersion: "2024-11-05",
+        capabilities: {},
+        clientInfo: { name: "agentsid-scanner", version: "0.1.0" },
+      },
+      id: 1,
+    }) + "\n");
+    setTimeout(() => {
+      // Send initialized notification
+      proc.stdin.write(JSON.stringify({
+        jsonrpc: "2.0",
+        method: "notifications/initialized",
+        params: {},
+      }) + "\n");
+    }, 500);
+    setTimeout(() => {
+      // List tools
+      proc.stdin.write(JSON.stringify({
+        jsonrpc: "2.0",
+        method: "tools/list",
+        params: {},
+        id: 2,
+      }) + "\n");
+    }, 1000);
+    // Wait for tools/list response
+    const check = setInterval(() => {
+      if (responses[2]) {
+        clearInterval(check);
+        clearTimeout(timer);
+        const serverInfo = responses[1]?.result?.serverInfo || { name: "unknown", version: "?" };
+        const tools = responses[2]?.result?.tools || [];
+        resolve({ serverInfo, tools });
+      }
+    }, 100);
+    const timer = setTimeout(() => {
+      clearInterval(check);
+      const serverInfo = responses[1]?.result?.serverInfo || { name: "unknown", version: "?" };
+      const tools = responses[2]?.result?.tools || [];
+      resolve({ serverInfo, tools });
+    }, timeout);
+  });
+}
+async function fetchRpc(url, method, params, headers, timeout) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeout);
+  try {
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...headers,
+      },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        method,
+        params,
+        id: Math.floor(Math.random() * 10000),
+      }),
+      signal: controller.signal,
+    });
+    clearTimeout(timer);
+    return response.json();
+  } catch (err) {
+    clearTimeout(timer);
+    return null;
+  }
+}
+function generateReport(serverInfo, tools, json) {
+  // Run all scan rules
+  const descriptionFindings = scanToolDescriptions(tools);
+  const { findings: nameFindings, riskProfile } = scanToolNames(tools);
+  const schemaFindings = scanInputSchemas(tools);
+  const authFindings = scanAuthIndicators(tools, serverInfo);
+  const outputFindings = scanOutputSafety(tools);
+  const hallucinationFindings = scanHallucinationRisks(tools);
+  // Combine all findings
+  const allFindings = [
+    ...descriptionFindings,
+    ...nameFindings,
+    ...schemaFindings,
+    ...authFindings,
+    ...outputFindings,
+    ...hallucinationFindings,
+  ];
+  // Grade
+  const gradeResult = grade(allFindings);
+  // Format report
+  if (json) {
+    return formatJsonReport(serverInfo, tools, allFindings, gradeResult, riskProfile);
+  }
+  return formatTerminalReport(serverInfo, tools, allFindings, gradeResult, riskProfile);
+}