中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
IC Trade Navigator MCP Connector
Taiwan-neutral IC component quoting connector for Claude Desktop that reads local ERP inventory and fetches market quotes from an external API
This is a legitimate MCP connector for IC component quoting that performs exactly as documented. The main consideration is that an API key is transmitted to an external server, but this is explicitly declared with clear privacy safeguards for local ERP data.
技能名称IC Trade Navigator MCP Connector
分析耗时48.4s
引擎pi
可以安装
This skill is safe to use. Users should be aware that their API key is sent to the remote quote engine. No additional risks beyond standard network-boundary considerations.

安全发现 2 项

严重性 安全发现 位置
提示
API key transmitted to remote server 敏感访问
The QUOTE_ENGINE_API_KEY is sent in the X-API-Key header to the external quote engine. This is documented behavior but represents a privacy consideration.
headers={"X-API-Key": config.engine_api_key}
→ Users should ensure they trust the quote engine operator before using this connector.
 mcp_connector/api_client.py:176
低危
Default ERP path references user Desktop 敏感访问
The default ERP_EXCEL_PATH points to ~/Desktop/ERP內容.xlsx, which could expose the file location to the LLM.
str(Path.home() / "Desktop" / "ERP內容.xlsx")
→ This is standard configuration; users should set explicit paths via environment variables.
 mcp_connector/config.py:35
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 Reads inventory.xlsx via openpyxl; clearly documented
网络访问 READ READ ✓ 一致 HTTP GET to /v1/quote with httpx; declared in SKILL.md
命令执行 NONE NONE No subprocess, os.system, or shell execution found
环境变量 READ READ ✓ 一致 Reads QUOTE_ENGINE_API_KEY, QUOTE_ENGINE_URL, ERP_EXCEL_PATH from env
技能调用 WRITE WRITE ✓ 一致 Exposes 3 MCP tools (quote_part, read_erp_inventory, get_combined_view)
5 项发现
🔗
中危 外部 URL 外部 URL
https://api.ic-navigator.com
README.md:54
🔗
中危 外部 URL 外部 URL
https://your-engine.example.com
mcp_connector/client.py:43
🔗
中危 外部 URL 外部 URL
https://quote.example.com
mcp_connector/config.py:12
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:8001
mcp_connector/config.py:29
📧
提示 邮箱 邮箱地址
[email protected]
README.md:198

目录结构

10 文件 · 90.7 KB · 2453 行
Python 8f · 2046L Markdown 2f · 407L
├─ 📁 mcp_connector
│ ├─ 🐍 __init__.py Python 1L · 68 B
│ ├─ 🐍 api_client.py Python 260L · 10.5 KB
│ ├─ 🐍 client.py Python 452L · 18.6 KB
│ ├─ 🐍 config.py Python 65L · 2.5 KB
│ ├─ 🐍 erp_reader_generic.py Python 490L · 18.3 KB
│ ├─ 🐍 erp_reader.py Python 195L · 7.6 KB
│ ├─ 🐍 merger.py Python 241L · 10.6 KB
│ └─ 🐍 server.py Python 342L · 11.8 KB
├─ 📝 README.md Markdown 198L · 5.2 KB
└─ 📝 SKILL.md Markdown 209L · 5.6 KB

依赖分析 3 项

包名版本来源已知漏洞备注
httpx * pip Version not pinned but no RCE vectors in this usage
openpyxl * pip Version not pinned but only used for data reading
mcp * pip Official MCP SDK from modelcontextprotocol

安全亮点

✓ Clear and comprehensive privacy documentation with explicit data scope (only sends part_number, qty, lang)
✓ Strong response sanitization with forbidden-key blocking in api_client.py
✓ Explicit price-column blocking with keyword detection in erp_reader_generic.py
✓ No shell execution, subprocess, or eval patterns found
✓ No base64 encoding, obfuscation, or anti-analysis techniques
✓ No credential harvesting beyond declared API key
✓ Clean code structure with clear separation of concerns
✓ Explicit allowed/forbidden response field lists prevent server-side data leakage