扫描报告
10 /100
daily-to-goal-mcp
Connect to Daily-to-Goal (D2G) platform via MCP to manage goals, tasks, entities, and team performance
A legitimate MCP integration skill for Daily-to-Goal platform with clear documentation, declared dependencies on external npm package, and no hidden functionality or suspicious behavior detected.
可以安装
Review the external npm package @daily-to-goal/mcp-server independently before use. The SKILL.md is well-documented but references a non-existent security guide (references/security.md).
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | External npm package dependency 供应链 | SKILL.md:17 |
| 低危 | Broken reference to security documentation 文档欺骗 | SKILL.md:110 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | N/A - no filesystem access declared or inferred |
| 网络访问 | READ | READ | ✓ 一致 | MCP connection to h5.dd-up.com for API calls |
| 命令执行 | NONE | NONE | — | npx command for MCP server startup is standard MCP behavior |
| 环境变量 | READ | READ | ✓ 一致 | Requires DTG_API_KEY environment variable |
| 技能调用 | NONE | NONE | — | N/A |
| 剪贴板 | NONE | NONE | — | N/A |
| 浏览器 | NONE | NONE | — | N/A |
| 数据库 | NONE | NONE | — | N/A |
1 项发现
中危 外部 URL 外部 URL
https://h5.dd-up.com/ SKILL.md:13 目录结构
1 文件 · 3.6 KB · 110 行 Markdown 1f · 110L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@daily-to-goal/mcp-server | latest | npm (npx) | 否 | Version not pinned - fetched at runtime via npx |
安全亮点
✓ All capabilities are clearly documented in SKILL.md
✓ No shell execution or arbitrary command execution
✓ No credential harvesting beyond the required API key
✓ No data exfiltration or C2 communication patterns
✓ No obfuscated code or base64 payloads
✓ Environment variable access is declared and necessary for the feature
✓ Standard MCP protocol usage with well-defined tool schema