中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
mcp-hello-world
Minimal MCP Hello World server — provides add (arithmetic) and hello_world (greeting) tools via stdio
A clean, minimal MCP Hello World skill with no malicious indicators — only two simple tools (add, hello_world) implemented via the official SDK over stdio.
Skill Namemcp-hello-world
Duration35.1s
Enginepi
Safe to install
Approve for use. No security concerns identified.

Findings 1 items

Severity Finding Location
Low
Unused express/router dependency in package.json scripts Doc Mismatch
package.json references 'dev' and 'test' scripts (via src/test.js) which pull in express/router as transitive dependencies, but the skill itself only uses StdioServerTransport. This is a minor documentation imprecision — the running server has no network exposure.
"dev": "node --watch src/server.js"
→ Consider adding express only as a dev/optional dependency or removing unused script references from the skill manifest for clarity.
 package.json:13
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE src/server.js - no file read/write operations
Network NONE NONE src/server.js - StdioServerTransport only, no HTTP requests
Shell NONE NONE src/server.js - no subprocess/exec usage
Environment NONE NONE src/server.js - no process.env access
Skill Invoke READ READ ✓ Aligned SKILL.md declares 'add' and 'hello_world' tools; server.js implements exactly th…
Clipboard NONE NONE No clipboard access found
Browser NONE NONE No browser automation found
Database NONE NONE No database access found
96 findings
🔗
Medium External URL 外部 URL
https://modelcontextprotocol.io
01-调研报告.md:259
🔗
Medium External URL 外部 URL
https://clawhub.ai/skills/mcp-hello-world
README.md:5
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/@hono/node-server/-/node-server-1.19.11.tgz
package-lock.json:18
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/@modelcontextprotocol/sdk/-/sdk-1.27.1.tgz
package-lock.json:30
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/accepts/-/accepts-2.0.0.tgz
package-lock.json:70
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ajv/-/ajv-8.18.0.tgz
package-lock.json:83
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ajv-formats/-/ajv-formats-3.0.1.tgz
package-lock.json:99
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/body-parser/-/body-parser-2.2.2.tgz
package-lock.json:116
🔗
Medium External URL 外部 URL
https://opencollective.com/express
package-lock.json:135
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/bytes/-/bytes-3.1.2.tgz
package-lock.json:140
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz
package-lock.json:149
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/call-bound/-/call-bound-1.0.4.tgz
package-lock.json:162
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/content-disposition/-/content-disposition-1.0.1.tgz
package-lock.json:178
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/content-type/-/content-type-1.0.5.tgz
package-lock.json:191
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/cookie/-/cookie-0.7.2.tgz
package-lock.json:200
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/cookie-signature/-/cookie-signature-1.2.2.tgz
package-lock.json:209
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/cors/-/cors-2.8.6.tgz
package-lock.json:218
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/cross-spawn/-/cross-spawn-7.0.6.tgz
package-lock.json:235
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/debug/-/debug-4.4.3.tgz
package-lock.json:249
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/depd/-/depd-2.0.0.tgz
package-lock.json:266
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz
package-lock.json:275
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ee-first/-/ee-first-1.1.1.tgz
package-lock.json:289
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/encodeurl/-/encodeurl-2.0.0.tgz
package-lock.json:295
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz
package-lock.json:304
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz
package-lock.json:313
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz
package-lock.json:322
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/escape-html/-/escape-html-1.0.3.tgz
package-lock.json:334
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/etag/-/etag-1.8.1.tgz
package-lock.json:340
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/eventsource/-/eventsource-3.0.7.tgz
package-lock.json:349
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/eventsource-parser/-/eventsource-parser-3.0.6.tgz
package-lock.json:361
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/express/-/express-5.2.1.tgz
package-lock.json:370
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/express-rate-limit/-/express-rate-limit-8.3.1.tgz
package-lock.json:413
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz
package-lock.json:431
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/fast-uri/-/fast-uri-3.1.0.tgz
package-lock.json:437
🔗
Medium External URL 外部 URL
https://opencollective.com/fastify
package-lock.json:446
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/finalhandler/-/finalhandler-2.1.1.tgz
package-lock.json:453
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/forwarded/-/forwarded-0.2.0.tgz
package-lock.json:474
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/fresh/-/fresh-2.0.0.tgz
package-lock.json:483
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz
package-lock.json:492
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz
package-lock.json:501
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz
package-lock.json:525
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz
package-lock.json:538
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz
package-lock.json:550
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz
package-lock.json:562
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/hono/-/hono-4.12.8.tgz
package-lock.json:574
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/http-errors/-/http-errors-2.0.1.tgz
package-lock.json:583
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/iconv-lite/-/iconv-lite-0.7.2.tgz
package-lock.json:603
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/inherits/-/inherits-2.0.4.tgz
package-lock.json:619
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ip-address/-/ip-address-10.1.0.tgz
package-lock.json:625
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz
package-lock.json:634
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/is-promise/-/is-promise-4.0.0.tgz
package-lock.json:643
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/isexe/-/isexe-2.0.0.tgz
package-lock.json:649
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/jose/-/jose-6.2.1.tgz
package-lock.json:655
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz
package-lock.json:664
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/json-schema-typed/-/json-schema-typed-8.0.2.tgz
package-lock.json:670
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz
package-lock.json:676
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/media-typer/-/media-typer-1.1.0.tgz
package-lock.json:685
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/merge-descriptors/-/merge-descriptors-2.0.0.tgz
package-lock.json:694
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/mime-db/-/mime-db-1.54.0.tgz
package-lock.json:706
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/mime-types/-/mime-types-3.0.2.tgz
package-lock.json:715
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ms/-/ms-2.1.3.tgz
package-lock.json:731
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/negotiator/-/negotiator-1.0.0.tgz
package-lock.json:737
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/object-assign/-/object-assign-4.1.1.tgz
package-lock.json:746
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/object-inspect/-/object-inspect-1.13.4.tgz
package-lock.json:755
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/on-finished/-/on-finished-2.4.1.tgz
package-lock.json:767
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/once/-/once-1.4.0.tgz
package-lock.json:779
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/parseurl/-/parseurl-1.3.3.tgz
package-lock.json:788
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/path-key/-/path-key-3.1.1.tgz
package-lock.json:797
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/path-to-regexp/-/path-to-regexp-8.3.0.tgz
package-lock.json:806
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/pkce-challenge/-/pkce-challenge-5.0.1.tgz
package-lock.json:816
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/proxy-addr/-/proxy-addr-2.0.7.tgz
package-lock.json:825
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/qs/-/qs-6.15.0.tgz
package-lock.json:838
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/range-parser/-/range-parser-1.2.1.tgz
package-lock.json:853
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/raw-body/-/raw-body-3.0.2.tgz
package-lock.json:862
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/require-from-string/-/require-from-string-2.0.2.tgz
package-lock.json:877
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/router/-/router-2.2.0.tgz
package-lock.json:886
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/safer-buffer/-/safer-buffer-2.1.2.tgz
package-lock.json:902
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/send/-/send-1.2.1.tgz
package-lock.json:908
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/serve-static/-/serve-static-2.2.1.tgz
package-lock.json:934
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/setprototypeof/-/setprototypeof-1.2.0.tgz
package-lock.json:953
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/shebang-command/-/shebang-command-2.0.0.tgz
package-lock.json:959
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/shebang-regex/-/shebang-regex-3.0.0.tgz
package-lock.json:971
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/side-channel/-/side-channel-1.1.0.tgz
package-lock.json:980
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/side-channel-list/-/side-channel-list-1.0.0.tgz
package-lock.json:999
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/side-channel-map/-/side-channel-map-1.0.1.tgz
package-lock.json:1015
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz
package-lock.json:1033
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/statuses/-/statuses-2.0.2.tgz
package-lock.json:1052
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/toidentifier/-/toidentifier-1.0.1.tgz
package-lock.json:1061
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/type-is/-/type-is-2.0.1.tgz
package-lock.json:1070
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/unpipe/-/unpipe-1.0.0.tgz
package-lock.json:1084
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/vary/-/vary-1.1.2.tgz
package-lock.json:1093
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/which/-/which-2.0.2.tgz
package-lock.json:1102
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/wrappy/-/wrappy-1.0.2.tgz
package-lock.json:1117
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/zod/-/zod-4.3.6.tgz
package-lock.json:1123
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/zod-to-json-schema/-/zod-to-json-schema-3.25.1.tgz
package-lock.json:1132
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com
开发记录.md:29

File Tree

16 files · 92.3 KB · 3506 lines
Markdown 10f · 2035L JSON 2f · 1162L JavaScript 3f · 272L Shell 1f · 37L
├─ 📁 src
│ ├─ 📜 full-test.js JavaScript 123L · 2.6 KB
│ ├─ 📜 server.js JavaScript 80L · 1.9 KB
│ └─ 📜 test.js JavaScript 69L · 1.6 KB
├─ 📝 01-调研报告.md Markdown 266L · 6.3 KB
├─ 📋 package-lock.json JSON 1140L · 39.6 KB
├─ 📋 package.json JSON 22L · 465 B
├─ 📝 README.md Markdown 141L · 2.6 KB
├─ 📝 SKILL.md Markdown 196L · 5.1 KB
├─ 🔧 start.sh Shell 37L · 834 B
├─ 📝 优化报告-v1.0.1.md Markdown 224L · 6.0 KB
├─ 📝 开发记录.md Markdown 218L · 4.6 KB
├─ 📝 快速参考.md Markdown 86L · 1.4 KB
├─ 📝 第二阶段报告.md Markdown 238L · 5.5 KB
├─ 📝 第四阶段报告.md Markdown 266L · 5.9 KB
├─ 📝 集成测试报告.md Markdown 295L · 5.6 KB
└─ 📝 项目总览.md Markdown 105L · 2.2 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
@modelcontextprotocol/sdk ^1.27.1 npm No Official MCP SDK, trusted
zod ^4.3.6 npm No Version range — considered acceptable for a demo skill
express (transitive) 5.2.1 npm No Present as transitive dependency from SDK, not used by skill code

Security Positives

✓ Uses official @modelcontextprotocol/sdk — no third-party code risk
✓ Only two simple, auditable tools: add (arithmetic) and hello_world (string greeting)
✓ Stdio-only transport — no network exposure, no inbound/outbound connections
✓ No credential, filesystem, or shell access
✓ No obfuscation, base64-encoded payloads, or eval usage
✓ No suspicious dependencies or supply-chain risks
✓ All test files (src/test.js, src/full-test.js) are local child_process spawning for testing only
✓ start.sh performs standard npm install with proper Node.js presence check
✓ Zod pinned to ^4.3.6 for parameter validation — trusted dependency