中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
discovery-engine
Automatically discover novel, statistically validated patterns in tabular data. Find insights you'd otherwise miss, far faster and cheaper than doing it yourself.
This is a legitimate MCP server for a statistical pattern discovery service (Disco by Leap Laboratories) with no malicious indicators, no hidden functionality, and well-documented behavior that matches the implementation.
Skill Namediscovery-engine
Duration47.3s
Enginepi
Safe to install
Approve for use. No security concerns identified.

Findings 2 items

Severity Finding Location
Low
Unpinned dependency versions in pyproject.toml Supply Chain
pyproject.toml specifies dependencies with >= version specifiers: mcp>=1.0.0, httpx>=0.24.0, pydantic>=2.8.0. This allows any future version to be installed, which could theoretically introduce a vulnerability if a new release is compromised. However, this is standard Python packaging practice and no known vulnerabilities exist in these packages.
dependencies = [
    "mcp>=1.0.0",
    "httpx>=0.24.0",
    "pydantic>=2.8.0",
]
→ Consider pinning exact versions for reproducible builds, though this is a minor risk for established packages like these.
 pyproject.toml:28
Info
OAuth auth module referenced but not present in skill directory Doc Mismatch
server.py imports from '.auth' module (DiscoOAuthProvider, create_callback_routes, DualAuthMiddleware) which is not included in this skill package. The import is conditionally gated behind 'if _OAUTH_SECRET' which requires environment variable to be set. This is a code stub for production deployment and does not represent a security risk in this package.
from .auth import DiscoOAuthProvider, create_callback_routes
→ No action needed. The .auth module is part of the full package distribution, not this skill stub.
 server.py:50
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned server.py:391 — Path(file_path).read_bytes() for local file upload only
Network READ WRITE ✓ Aligned server.py:179 — _dashboard_request() POSTs to disco.leap-labs.com; file upload v…
Shell NONE NONE No subprocess, os.system, or shell execution found in codebase
Environment READ READ ✓ Aligned server.py:32 — os.getenv('DISCOVERY_API_KEY') only; no iteration through os.envi…
Skill Invoke READ READ ✓ Aligned MCP tools: discovery_upload, discovery_analyze, discovery_status, discovery_get_…
Clipboard NONE NONE No clipboard access found
Browser NONE NONE No browser automation found
Database NONE NONE No database access found
29 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/pypi/v/discovery-engine-api
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-blue.svg
README.md:6
🔗
Medium External URL 外部 URL
https://www.leap-labs.com
README.md:8
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/api/signup
README.md:41
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/api/signup/verify
README.md:46
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/docs
README.md:52
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/mcp
README.md:213
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com
README.md:274
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/.well-known/openapi.json
README.md:280
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/discover
README.md:281
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/api/data/upload/presign
SKILL.md:138
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/api/data/upload/finalize
SKILL.md:150
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/sign-up
SKILL.md:290
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/developers.
SKILL.md:290
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/reports/a1b2c3d4-...
SKILL.md:374
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/developers
SKILL.md:560
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/account
SKILL.md:561
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/api/account
SKILL.md:578
🔗
Medium External URL 外部 URL
https://api.stripe.com/v1/payment_methods
SKILL.md:591
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/api/account/payment-method
SKILL.md:614
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/api/account/credits/purchase
SKILL.md:632
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/visualization-spec**
SKILL.md:844
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/llms-full.txt
SKILL.md:851
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/visualization-spec
SKILL.md:852
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/.well-known/mcp.json
docs/python-sdk.md:426
🔗
Medium External URL 外部 URL
https://glama.ai/mcp/schemas/server.json
glama.json:2
🔗
Medium External URL 外部 URL
https://disco.leap-labs.com/agents
llms.txt:133
🔗
Medium External URL 外部 URL
https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json
server.json:2
🔗
Medium External URL 外部 URL
https://docs.disco.leap-labs.com
server.py:60

File Tree

9 files · 104.3 KB · 2688 lines
Markdown 3f · 1584L Python 1f · 892L Text 1f · 136L TOML 1f · 46L JSON 2f · 29L YAML 1f · 1L
├─ 📁 docs
│ └─ 📝 python-sdk.md Markdown 446L · 15.6 KB
├─ 📋 glama.json JSON 4L · 98 B
├─ 📄 llms.txt Text 136L · 4.7 KB
├─ 📄 pyproject.toml TOML 46L · 1.5 KB
├─ 📝 README.md Markdown 283L · 10.4 KB
├─ 📋 server.json JSON 25L · 782 B
├─ 🐍 server.py Python 892L · 33.6 KB
├─ 📝 SKILL.md Markdown 855L · 37.7 KB
└─ 📋 smithery.yaml YAML 1L · 23 B

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
mcp >=1.0.0 pip No Version not pinned — uses >= specifier
httpx >=0.24.0 pip No Version not pinned — uses >= specifier
pydantic >=2.8.0 pip No Version not pinned — uses >= specifier

Security Positives

✓ No shell execution (subprocess, os.system, shell=True) — codebase is pure Python with httpx for HTTP only
✓ No base64-encoded payloads piped to bash — file upload uses standard httpx AsyncClient
✓ No credential harvesting — only reads DISCOVERY_API_KEY from environment, does not enumerate os.environ for sensitive keys
✓ No sensitive path access — does not read ~/.ssh, ~/.aws, .env, or similar credential paths
✓ No hidden functionality — SKILL.md documentation is thorough and accurately describes all tool behaviors
✓ No curl|bash or wget|sh remote script execution patterns
✓ No eval(), exec(), or dynamic code execution
✓ Presigned URL upload pattern ensures file content goes directly to cloud storage, not through the agent
✓ API key read from environment variable to avoid parameter logging by MCP clients
✓ Clean git repo reference (github.com/leap-laboratories/discovery-engine) confirms public verifiability
✓ OAuth implementation uses official MCP auth library (mcp.server.auth) — no custom auth bypass logic
✓ No obfuscation techniques (no base64 payload decoding, no anti-analysis patterns)