中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:23 hr ago Rescan
5 /100
substreams-search-mcp
Search, inspect, and analyze Substreams packages from the substreams.dev registry
This is a legitimate Substreams package registry search and inspection tool with no malicious behavior detected.
Skill Namesubstreams-search-mcp
Duration43.7s
Enginepi
Safe to install
This skill is safe to use. All network operations target publicly documented blockchain data APIs (substreams.dev, spkg.io).

Findings 2 items

Severity Finding Location
Low
Python dependencies not version-pinned Supply Chain
requirements.txt contains 'mcp', 'beautifulsoup4', 'requests' without version constraints. While these are well-established packages, version pinning is security best practice.
mcp
beautifulsoup4
requests
→ Pin versions: requests>=2.31.0, beautifulsoup4>=4.12.0
 requirements.txt:1
Low
NPM devDependencies use caret ranges Supply Chain
package.json devDependencies (@types/express, @types/node, typescript) use ^ ranges which could pull breaking changes. Low risk for production but not ideal.
"@types/express": "^5.0.0"
→ Use pinned versions or ~ for devDependencies
 package.json:35
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file read/write operations in any implementation
Network READ READ ✓ Aligned src/index.ts:84 fetches substreams.dev; src/index.ts:212 fetches spkg.io for .sp…
Shell NONE NONE No subprocess or shell execution in any file
Environment NONE NONE Only reads MCP_HTTP_PORT for port configuration
13 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/npm/v/substreams-search-mcp
README.md:3
🔗
Medium External URL 外部 URL
https://www.npmjs.com/package/substreams-search-mcp
README.md:3
🔗
Medium External URL 外部 URL
https://glama.ai/mcp/servers/@PaulieB14/substreams-search-mcp-server
README.md:5
🔗
Medium External URL 外部 URL
https://glama.ai/mcp/servers/@PaulieB14/substreams-search-mcp-server/badge
README.md:6
🔗
Medium External URL 外部 URL
https://substreams.dev
README.md:9
🔗
Medium External URL 外部 URL
https://spkg.io/creator/package-v1.0.0.spkg
README.md:69
🔗
Medium External URL 外部 URL
https://glama.ai/mcp/schemas/server.json
glama.json:2
🔗
Medium External URL 外部 URL
https://opencollective.com/express
package-lock.json:184
🔗
Medium External URL 外部 URL
https://opencollective.com/fastify
package-lock.json:596
🔗
Medium External URL 外部 URL
https://substreams.dev/packages
server.py:13
🔗
Medium External URL 外部 URL
https://substreams.dev$
src/index.ts:71
🔗
Medium External URL 外部 URL
https://spkg.io/
src/index.ts:238
🔗
Medium External URL 外部 URL
https://spkg.io/streamingfast/substreams-uniswap-v3-v0.2.10.spkg
src/index.ts:269

File Tree

9 files · 80.1 KB · 2361 lines
JSON 4f · 1437L TypeScript 1f · 601L Markdown 2f · 178L Python 1f · 142L Text 1f · 3L
├─ 📁 src
│ └─ 📜 index.ts TypeScript 601L · 20.0 KB
├─ 📋 glama.json JSON 6L · 100 B
├─ 📋 package-lock.json JSON 1342L · 46.6 KB
├─ 📋 package.json JSON 73L · 1.6 KB
├─ 📝 README.md Markdown 136L · 5.1 KB
├─ 📄 requirements.txt Text 3L · 33 B
├─ 🐍 server.py Python 142L · 4.5 KB
├─ 📝 SKILL.md Markdown 42L · 1.9 KB
└─ 📋 tsconfig.json JSON 16L · 338 B

Dependencies 5 items

PackageVersionSourceKnown VulnsNotes
requests * pip No Version not pinned in requirements.txt
beautifulsoup4 * pip No Version not pinned
@modelcontextprotocol/sdk ^1.12.1 npm No Official MCP SDK
express ^4.21.0 npm No Pinned major version, used for local SSE transport only
@substreams/core ^0.17.0 npm No Official StreamingFast library for .spkg parsing

Security Positives

✓ All network requests target documented public APIs (substreams.dev, spkg.io)
✓ All tools are read-only operations (search, inspect, list, get_sink_config)
✓ No credential harvesting or sensitive data access
✓ No shell execution, no base64 encoding, no obfuscation
✓ All tools have readOnlyHint: true annotations
✓ SSE transport is declared in SKILL.md and only starts locally
✓ Uses official @modelcontextprotocol/sdk
✓ Package is MIT licensed with public GitHub repository