IC Trade Navigator MCP Connector Security Report — Low Risk | ClawSafe

15 /100

IC Trade Navigator MCP Connector

Taiwan-neutral IC component quoting connector for Claude Desktop that reads local ERP inventory and fetches market quotes from an external API

This is a legitimate MCP connector for IC component quoting that performs exactly as documented. The main consideration is that an API key is transmitted to an external server, but this is explicitly declared with clear privacy safeguards for local ERP data.

Skill NameIC Trade Navigator MCP Connector

Duration48.4s

Enginepi

✓

Safe to install

This skill is safe to use. Users should be aware that their API key is sent to the remote quote engine. No additional risks beyond standard network-boundary considerations.

Findings 2 items

Severity	Finding	Location
Info	API key transmitted to remote server Sensitive Access The QUOTE_ENGINE_API_KEY is sent in the X-API-Key header to the external quote engine. This is documented behavior but represents a privacy consideration. `headers={"X-API-Key": config.engine_api_key}` → Users should ensure they trust the quote engine operator before using this connector.	`mcp_connector/api_client.py:176`
Low	Default ERP path references user Desktop Sensitive Access The default ERP_EXCEL_PATH points to ~/Desktop/ERP內容.xlsx, which could expose the file location to the LLM. `str(Path.home() / "Desktop" / "ERP內容.xlsx")` → This is standard configuration; users should set explicit paths via environment variables.	`mcp_connector/config.py:35`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	Reads inventory.xlsx via openpyxl; clearly documented
Network	`READ`	`READ`	✓ Aligned	HTTP GET to /v1/quote with httpx; declared in SKILL.md
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found
Environment	`READ`	`READ`	✓ Aligned	Reads QUOTE_ENGINE_API_KEY, QUOTE_ENGINE_URL, ERP_EXCEL_PATH from env
Skill Invoke	`WRITE`	`WRITE`	✓ Aligned	Exposes 3 MCP tools (quote_part, read_erp_inventory, get_combined_view)

5 findings

🔗

Medium External URL 外部 URL

https://api.ic-navigator.com

README.md:54

🔗

Medium External URL 外部 URL

https://your-engine.example.com

mcp_connector/client.py:43

🔗

Medium External URL 外部 URL

https://quote.example.com

mcp_connector/config.py:12

🔗

Medium External URL 外部 URL

http://127.0.0.1:8001

mcp_connector/config.py:29

📧

Info Email 邮箱地址

[email protected]

README.md:198

File Tree

10 files · 90.7 KB · 2453 lines

Python 8f · 2046L Markdown 2f · 407L

├─ ▾ 📁 mcp_connector

│ ├─ 🐍 __init__.py Python 1L · 68 B

│ ├─ 🐍 api_client.py Python 260L · 10.5 KB

│ ├─ 🐍 client.py Python 452L · 18.6 KB

│ ├─ 🐍 config.py Python 65L · 2.5 KB

│ ├─ 🐍 erp_reader_generic.py Python 490L · 18.3 KB

│ ├─ 🐍 erp_reader.py Python 195L · 7.6 KB

│ ├─ 🐍 merger.py Python 241L · 10.6 KB

│ └─ 🐍 server.py Python 342L · 11.8 KB

├─ 📝 README.md Markdown 198L · 5.2 KB

└─ 📝 SKILL.md Markdown 209L · 5.6 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`httpx`	`*`	pip	No	Version not pinned but no RCE vectors in this usage
`openpyxl`	`*`	pip	No	Version not pinned but only used for data reading
`mcp`	`*`	pip	No	Official MCP SDK from modelcontextprotocol

Security Positives

✓ Clear and comprehensive privacy documentation with explicit data scope (only sends part_number, qty, lang)

✓ Strong response sanitization with forbidden-key blocking in api_client.py

✓ Explicit price-column blocking with keyword detection in erp_reader_generic.py

✓ No shell execution, subprocess, or eval patterns found

✓ No base64 encoding, obfuscation, or anti-analysis techniques

✓ No credential harvesting beyond declared API key

✓ Clean code structure with clear separation of concerns

✓ Explicit allowed/forbidden response field lists prevent server-side data leakage

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives