substreams-search-mcp 安全扫描报告 — 可信 | ClawSafe

5 /100

substreams-search-mcp

Search, inspect, and analyze Substreams packages from the substreams.dev registry

This is a legitimate Substreams package registry search and inspection tool with no malicious behavior detected.

技能名称substreams-search-mcp

分析耗时43.7s

引擎pi

✓

可以安装

This skill is safe to use. All network operations target publicly documented blockchain data APIs (substreams.dev, spkg.io).

安全发现 2 项

严重性	安全发现	位置
低危	Python dependencies not version-pinned 供应链 requirements.txt contains 'mcp', 'beautifulsoup4', 'requests' without version constraints. While these are well-established packages, version pinning is security best practice. `mcp beautifulsoup4 requests` → Pin versions: requests>=2.31.0, beautifulsoup4>=4.12.0	`requirements.txt:1`
低危	NPM devDependencies use caret ranges 供应链 package.json devDependencies (@types/express, @types/node, typescript) use ^ ranges which could pull breaking changes. Low risk for production but not ideal. `"@types/express": "^5.0.0"` → Use pinned versions or ~ for devDependencies	`package.json:35`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file read/write operations in any implementation
网络访问	`READ`	`READ`	✓ 一致	src/index.ts:84 fetches substreams.dev; src/index.ts:212 fetches spkg.io for .sp…
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution in any file
环境变量	`NONE`	`NONE`	—	Only reads MCP_HTTP_PORT for port configuration

13 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/npm/v/substreams-search-mcp

README.md:3

🔗

中危外部 URL 外部 URL

https://www.npmjs.com/package/substreams-search-mcp

README.md:3

🔗

中危外部 URL 外部 URL

https://glama.ai/mcp/servers/@PaulieB14/substreams-search-mcp-server

README.md:5

🔗

中危外部 URL 外部 URL

https://glama.ai/mcp/servers/@PaulieB14/substreams-search-mcp-server/badge

README.md:6

🔗

中危外部 URL 外部 URL

https://substreams.dev

README.md:9

🔗

中危外部 URL 外部 URL

https://spkg.io/creator/package-v1.0.0.spkg

README.md:69

🔗

中危外部 URL 外部 URL

https://glama.ai/mcp/schemas/server.json

glama.json:2

🔗

中危外部 URL 外部 URL

https://opencollective.com/express

package-lock.json:184

🔗

中危外部 URL 外部 URL

https://opencollective.com/fastify

package-lock.json:596

🔗

中危外部 URL 外部 URL

https://substreams.dev/packages

server.py:13

🔗

中危外部 URL 外部 URL

https://substreams.dev$

src/index.ts:71

🔗

中危外部 URL 外部 URL

https://spkg.io/

src/index.ts:238

🔗

中危外部 URL 外部 URL

https://spkg.io/streamingfast/substreams-uniswap-v3-v0.2.10.spkg

src/index.ts:269

目录结构

9 文件 · 80.1 KB · 2361 行

JSON 4f · 1437L TypeScript 1f · 601L Markdown 2f · 178L Python 1f · 142L Text 1f · 3L

├─ ▾ 📁 src

│ └─ 📜 index.ts TypeScript 601L · 20.0 KB

├─ 📋 glama.json JSON 6L · 100 B

├─ 📋 package-lock.json JSON 1342L · 46.6 KB

├─ 📋 package.json JSON 73L · 1.6 KB

├─ 📝 README.md Markdown 136L · 5.1 KB

├─ 📄 requirements.txt Text 3L · 33 B

├─ 🐍 server.py Python 142L · 4.5 KB

├─ 📝 SKILL.md Markdown 42L · 1.9 KB

└─ 📋 tsconfig.json JSON 16L · 338 B

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned in requirements.txt
`beautifulsoup4`	`*`	pip	否	Version not pinned
`@modelcontextprotocol/sdk`	`^1.12.1`	npm	否	Official MCP SDK
`express`	`^4.21.0`	npm	否	Pinned major version, used for local SSE transport only
`@substreams/core`	`^0.17.0`	npm	否	Official StreamingFast library for .spkg parsing

安全亮点

✓ All network requests target documented public APIs (substreams.dev, spkg.io)

✓ All tools are read-only operations (search, inspect, list, get_sink_config)

✓ No credential harvesting or sensitive data access

✓ No shell execution, no base64 encoding, no obfuscation

✓ All tools have readOnlyHint: true annotations

✓ SSE transport is declared in SKILL.md and only starts locally

✓ Uses official @modelcontextprotocol/sdk

✓ Package is MIT licensed with public GitHub repository