Audit History - mcp-builder

Audit version 5

Latest Low Risk

Jan 16, 2026, 04:40 PM

This is a documentation guidance skill for building MCP servers. The static analyzer flagged 599 potential issues, but ALL findings are FALSE POSITIVES. The 'weak cryptographic algorithm' detections in documentation files are pattern matches on words like 'md5' appearing in text/code examples. The 'external command' findings are documentation examples showing how to run MCP servers for testing (e.g., 'python server.py'). Environment variable access is standard practice for API authentication configuration. The critical heuristic about 'Code execution + Network + Credential access' is a false positive - this is legitimate documentation that naturally involves all three patterns for building and testing MCP servers. No malicious intent, data exfiltration, or harmful patterns detected.

11

Files scanned

4,591

Lines analyzed

5

findings

claude

Audited by

No security issues found

Risk Factors

⚡ Contains scripts (2)

scripts/connections.py:1-152 scripts/evaluation.py:1-374

🌐 Network access (2)

SKILL.md:60-76 scripts/evaluation.py:21-53

📁 Filesystem access (2)

scripts/evaluation.py:56-77 scripts/evaluation.py:305-335

🔑 Env variables (2)

scripts/connections.py:76-85 scripts/evaluation.py:228

⚙️ External commands (2)

SKILL.md:223-232 reference/evaluation.md:19-26

Audit version 4

Low Risk

Jan 16, 2026, 04:40 PM

This is a documentation guidance skill for building MCP servers. The static analyzer flagged 599 potential issues, but ALL findings are FALSE POSITIVES. The 'weak cryptographic algorithm' detections in documentation files are pattern matches on words like 'md5' appearing in text/code examples. The 'external command' findings are documentation examples showing how to run MCP servers for testing (e.g., 'python server.py'). Environment variable access is standard practice for API authentication configuration. The critical heuristic about 'Code execution + Network + Credential access' is a false positive - this is legitimate documentation that naturally involves all three patterns for building and testing MCP servers. No malicious intent, data exfiltration, or harmful patterns detected.

11

Files scanned

4,591

Lines analyzed

5

findings

claude

Audited by

No security issues found

Risk Factors

⚡ Contains scripts (2)

scripts/connections.py:1-152 scripts/evaluation.py:1-374

🌐 Network access (2)

SKILL.md:60-76 scripts/evaluation.py:21-53

📁 Filesystem access (2)

scripts/evaluation.py:56-77 scripts/evaluation.py:305-335

🔑 Env variables (2)

scripts/connections.py:76-85 scripts/evaluation.py:228

⚙️ External commands (2)

SKILL.md:223-232 reference/evaluation.md:19-26

Audit version 3

Low Risk

Jan 10, 2026, 10:31 AM

This is a documentation and guidance skill for building MCP servers. Contains helper Python scripts for connection management and evaluation. The scripts have standard network capabilities for API integration and can spawn subprocesses for local MCP server testing. All network endpoints are user-specified or well-known Anthropic API endpoints. No sensitive data collection or exfiltration patterns detected.

10

Files scanned

2,413

Lines analyzed

5

findings

claude

Audited by

No security issues found

Risk Factors

⚡ Contains scripts (2)

scripts/connections.py:1-152 scripts/evaluation.py:1-374

🌐 Network access (2)

scripts/evaluation.py:21-53 scripts/evaluation.py:220-273

📁 Filesystem access (2)

scripts/evaluation.py:56-77 scripts/evaluation.py:305-335

🔑 Env variables (2)

scripts/evaluation.py:228 scripts/evaluation.py:344

⚙️ External commands (1)

scripts/evaluation.py:346-354

Audit version 2

Low Risk

Jan 10, 2026, 10:31 AM

This is a documentation and guidance skill for building MCP servers. Contains helper Python scripts for connection management and evaluation. The scripts have standard network capabilities for API integration and can spawn subprocesses for local MCP server testing. All network endpoints are user-specified or well-known Anthropic API endpoints. No sensitive data collection or exfiltration patterns detected.

10

Files scanned

2,413

Lines analyzed

5

findings

claude

Audited by

No security issues found

Risk Factors

⚡ Contains scripts (2)

scripts/connections.py:1-152 scripts/evaluation.py:1-374

🌐 Network access (2)

scripts/evaluation.py:21-53 scripts/evaluation.py:220-273

📁 Filesystem access (2)

scripts/evaluation.py:56-77 scripts/evaluation.py:305-335

🔑 Env variables (2)

scripts/evaluation.py:228 scripts/evaluation.py:344

⚙️ External commands (1)

scripts/evaluation.py:346-354

Audit version 1

Low Risk

Jan 10, 2026, 10:31 AM

This is a documentation and guidance skill for building MCP servers. Contains helper Python scripts for connection management and evaluation. The scripts have standard network capabilities for API integration and can spawn subprocesses for local MCP server testing. All network endpoints are user-specified or well-known Anthropic API endpoints. No sensitive data collection or exfiltration patterns detected.

10

Files scanned

2,413

Lines analyzed

5

findings

claude

Audited by

No security issues found