ICUICU
critical

@cap-js/mcp-server

v0.0.3

Model Context Protocol (MCP) server for AI-assisted development of CAP applications.

npmcap-npmFirst seen Feb 22, 2026

25

Total

3

Critical

12

High

10

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    103:   if (!changeWatcher) {
    104:     const intervalMs = process.env.CDS_MCP_REFRESH_MS
>>> 105:       ? parseInt(process.env.CDS_MCP_REFRESH_MS, 10)
    106:       : Math.max(compileDuration * 10, 20000)
    107:     changeWatcher = setInterval(async () => {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    102:   // Only do it once
    103:   if (!changeWatcher) {
>>> 104:     const intervalMs = process.env.CDS_MCP_REFRESH_MS
    105:       ? parseInt(process.env.CDS_MCP_REFRESH_MS, 10)
    106:       : Math.max(compileDuration * 10, 20000)
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    77:       if (/DraftAdministrativeData$/.test(e.name)) continue
    78:       if (/[._]texts$/.test(e.name)) continue
>>> 79:       if (cds.env.effective.odata.containment && service.definition._containedEntities.has(e.name)) continue
    80:       exposed.push(each)
    81:     }
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ~��y�� 塧L�ץ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ~��y�� 塧L�ץ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��H��� ����Z��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��H��� ����Z��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��z����y�&m�]�x,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��z����y�&m�]�x,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ~��y�� 塧L�ץ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��k��(��D���v)�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��z����y�&m�]�x,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��k��(��D���v)�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-HEXunknownMedium ConfidenceLine 0

Decoded hex content:  

Detected by automated pattern matching (rule DO-HEX) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: �:�~��)��ڶ+� �Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    26: 
    27: async function downloadFile(url, outputPath) {
>>> 28:   const res = await fetch(url)
    29:   if (!res.ok) throw new Error(`Failed to download ${url}, status ${res.status}`)
    30:
Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    64:     const jsonData = await jsonResponse.arrayBuffer()
    65: 
>>> 66:     const binResponse = await fetch('https://cap.cloud.sap/resources/embeddings/code-chunks.bin', { headers })
    67: 
    68:     if (!binResponse.ok) {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    43:     }
    44: 
>>> 45:     const jsonResponse = await fetch('https://cap.cloud.sap/resources/embeddings/code-chunks.json', { headers })
    46: 
    47:     if (jsonResponse.status === 304) {
Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical25
Feb 23, 2026critical25
Feb 22, 2026critical25