中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:18 hr ago Rescan
10 /100
daily-to-goal-mcp
Connect to Daily-to-Goal (D2G) platform via MCP to manage goals, tasks, entities, and team performance
A legitimate MCP integration skill for Daily-to-Goal platform with clear documentation, declared dependencies on external npm package, and no hidden functionality or suspicious behavior detected.
Skill Namedaily-to-goal-mcp
Duration32.4s
Enginepi
Safe to install
Review the external npm package @daily-to-goal/mcp-server independently before use. The SKILL.md is well-documented but references a non-existent security guide (references/security.md).

Findings 2 items

Severity Finding Location
Low
External npm package dependency Supply Chain
Skill relies on @daily-to-goal/mcp-server fetched via npx at runtime. This external package is not pinned to a specific version.
command: npx, args: ["@daily-to-goal/mcp-server"]
→ Pin to specific version (e.g., @daily-to-goal/[email protected]) and verify package integrity before use.
 SKILL.md:17
Low
Broken reference to security documentation Doc Mismatch
SKILL.md references 'references/security.md' which does not exist in the skill package.
For detailed API key management and security practices, see [references/security.md]
→ Remove reference or include the security documentation file.
 SKILL.md:110
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE N/A - no filesystem access declared or inferred
Network READ READ ✓ Aligned MCP connection to h5.dd-up.com for API calls
Shell NONE NONE npx command for MCP server startup is standard MCP behavior
Environment READ READ ✓ Aligned Requires DTG_API_KEY environment variable
Skill Invoke NONE NONE N/A
Clipboard NONE NONE N/A
Browser NONE NONE N/A
Database NONE NONE N/A
1 findings
🔗
Medium External URL 外部 URL
https://h5.dd-up.com/
SKILL.md:13

File Tree

1 files · 3.6 KB · 110 lines
Markdown 1f · 110L
└─ 📝 SKILL.md Markdown 110L · 3.6 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
@daily-to-goal/mcp-server latest npm (npx) No Version not pinned - fetched at runtime via npx

Security Positives

✓ All capabilities are clearly documented in SKILL.md
✓ No shell execution or arbitrary command execution
✓ No credential harvesting beyond the required API key
✓ No data exfiltration or C2 communication patterns
✓ No obfuscated code or base64 payloads
✓ Environment variable access is declared and necessary for the feature
✓ Standard MCP protocol usage with well-defined tool schema