ICUICU
critical

@tsmztech/mcp-server-salesforce

v0.0.6

A Salesforce connector MCP Server.

npmtsmzFirst seen Feb 22, 2026Source

12

Total

7

Critical

3

High

2

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    80:             // OAuth 2.0 Client Credentials Flow
    81:             const clientId = process.env.SALESFORCE_CLIENT_ID;
>>> 82:             const clientSecret = process.env.SALESFORCE_CLIENT_SECRET;
    83:             if (!clientId || !clientSecret) {
    84:                 throw new Error('SALESFORCE_CLIENT_ID and SALESFORCE_CLIENT_SECRET are required for OAuth 2.0 Client Credentials Flow');
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    70:     // Determine connection type from environment variables or config
    71:     const connectionType = config?.type ||
>>> 72:         process.env.SALESFORCE_CONNECTION_TYPE ||
    73:         ConnectionType.User_Password;
    74:     // Set login URL from config or environment variable
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    74:     // Set login URL from config or environment variable
    75:     const loginUrl = config?.loginUrl ||
>>> 76:         process.env.SALESFORCE_INSTANCE_URL ||
    77:         'https://login.salesforce.com';
    78:     try {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    79:         if (connectionType === ConnectionType.OAuth_2_0_Client_Credentials) {
    80:             // OAuth 2.0 Client Credentials Flow
>>> 81:             const clientId = process.env.SALESFORCE_CLIENT_ID;
    82:             const clientSecret = process.env.SALESFORCE_CLIENT_SECRET;
    83:             if (!clientId || !clientSecret) {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    155:             const username = process.env.SALESFORCE_USERNAME;
    156:             const password = process.env.SALESFORCE_PASSWORD;
>>> 157:             const token = process.env.SALESFORCE_TOKEN;
    158:             if (!username || !password) {
    159:                 throw new Error('SALESFORCE_USERNAME and SALESFORCE_PASSWORD are required for Username/Password authentication');
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    154:             // Default: Username/Password Flow with Security Token
    155:             const username = process.env.SALESFORCE_USERNAME;
>>> 156:             const password = process.env.SALESFORCE_PASSWORD;
    157:             const token = process.env.SALESFORCE_TOKEN;
    158:             if (!username || !password) {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    153:         else {
    154:             // Default: Username/Password Flow with Security Token
>>> 155:             const username = process.env.SALESFORCE_USERNAME;
    156:             const password = process.env.SALESFORCE_PASSWORD;
    157:             const token = process.env.SALESFORCE_TOKEN;
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��RjW�~��x��"w�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highSC-005Suspicious CommandsMedium ConfidenceLine 0

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    3: import https from 'https';
    4: import querystring from 'querystring';
>>> 5: import { exec } from 'child_process';
    6: import { promisify } from 'util';
    7: const execAsync = promisify(exec);
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��RjW�~��x��"w�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical12
Feb 23, 2026critical12
Feb 22, 2026critical12