中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:1 天前 重新扫描
25 /100
blender_mcp
Advanced bridge to Blender via MCP
Legitimate Blender MCP bridge with undeclared subprocess execution but no malicious behavior detected.
技能名称blender_mcp
分析耗时30.0s
引擎pi
可以安装
Add explicit documentation of subprocess spawning (uvx blender-mcp) in SKILL.md. Pin node-fetch to a specific version.

安全发现 2 项

严重性 安全发现 位置
中危
Undeclared subprocess execution 文档欺骗
server.js spawns 'uvx blender-mcp' subprocess via child_process.spawn() but SKILL.md does not declare this shell execution capability.
this.process = spawn(uvxCmd, ['blender-mcp'], { stdio: ['pipe', 'pipe', 'pipe'] })
→ Document subprocess spawning in SKILL.md allowed-tools section
 server.js:54
低危
Unpinned dependency version 供应链
node-fetch dependency uses ^3.3.2 which allows minor version updates.
"node-fetch": "^3.3.2"
→ Pin to exact version: "node-fetch": "3.3.2"
 package.json:13
资源类型声明权限推断权限状态证据
命令执行 NONE WRITE ✗ 越权 server.js:54 - spawn(uvxCmd, ['blender-mcp'], ...)
网络访问 READ READ ✓ 一致 Communicates with blender-mcp server via stdio JSON-RPC
文件系统 NONE READ ✓ 一致 server.js:27 - fs.existsSync(localBin)
2 项发现
🔗
中危 外部 URL 外部 URL
https://paypal.me/jimmywarting
package-lock.json:34
🔗
中危 外部 URL 外部 URL
https://opencollective.com/node-fetch
package-lock.json:93

目录结构

6 文件 · 10.9 KB · 347 行
JavaScript 3f · 164L JSON 2f · 119L Markdown 1f · 64L
├─ 📋 package-lock.json JSON 106L · 3.4 KB
├─ 📋 package.json JSON 13L · 267 B
├─ 📜 server.js JavaScript 114L · 3.0 KB
├─ 📝 SKILL.md Markdown 64L · 2.7 KB
├─ 📜 test_v2.js JavaScript 19L · 711 B
└─ 📜 test.js JavaScript 31L · 961 B

依赖分析 1 项

包名版本来源已知漏洞备注
node-fetch ^3.3.2 npm Version not pinned - allows minor updates

安全亮点

✓ No credential harvesting detected
✓ No data exfiltration to external IPs
✓ No obfuscation techniques (base64, eval patterns)
✓ No suspicious network connections to unknown servers
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No reverse shell or C2 behavior
✓ Legitimate Blender MCP bridge functionality confirmed