ICUICU
critical

slite-mcp-server

v1.3.0

'Slite MCP server'

npmprenaudinFirst seen Feb 22, 2026Source

15

Total

4

Critical

1

High

10

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    11: const DEFAULT_API_BASE_URL = 'https://api.slite.com/v1';
    12: const ArgsType = zod_1.z.object({
>>> 13:     apiKey: zod_1.z.preprocess((value) => value ?? process.env.SLITE_API_KEY, zod_1.z.string({
    14:         message: 'Slite API key not provided. Please either pass it as an argument --api-key=$KEY or set the SLITE_API_KEY environment variable.',
    15:     })),
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    17:         .string()
    18:         .url({ message: 'Base url must be a valid url.' })
>>> 19:         .default(process.env.SLITE_API_BASE_URL ?? DEFAULT_API_BASE_URL),
    20: });
    21: commander_1.program
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    9: // Load environment variables
    10: dotenv_1.default.config();
>>> 11: const API_KEY = process.env.SLITE_API_KEY || '';
    12: const BASE_URL = process.env.SLITE_API_URL || 'https://api.slite.com/v1';
    13: (0, vitest_1.describe)('SliteClient', () => {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    10: dotenv_1.default.config();
    11: const API_KEY = process.env.SLITE_API_KEY || '';
>>> 12: const BASE_URL = process.env.SLITE_API_URL || 'https://api.slite.com/v1';
    13: (0, vitest_1.describe)('SliteClient', () => {
    14:     // Integration tests with real API (skip if no API key)
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    79:                 queryParams.format = format;
    80:             }
>>> 81:             const response = await this.fetch(`/notes/${noteId}`, queryParams);
    82:             return response;
    83:         }
Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    9:         this.baseUrl = baseUrl;
    10:     }
>>> 11:     async fetch(path, queryParams, options) {
    12:         const url = new URL(`${this.baseUrl}${path}`);
    13:         if (queryParams) {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    18:             });
    19:         }
>>> 20:         const response = await fetch(url.toString(), {
    21:             method: options?.method || 'GET',
    22:             headers: {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    50:             if (includeArchived !== undefined)
    51:                 queryParams.includeArchived = includeArchived.toString();
>>> 52:             const results = await this.fetch(`/search-notes`, queryParams);
    53:             return {
    54:                 results,
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    66:             if (assistantId)
    67:                 queryParams.assistantId = assistantId;
>>> 68:             const response = await this.fetch(`/ask`, queryParams);
    69:             return response;
    70:         }
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    92:                 queryParams.cursor = cursor;
    93:             }
>>> 94:             const response = await this.fetch(`/notes/${noteId}/children`, queryParams);
    95:             return response;
    96:         }
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    111:             if (html)
    112:                 body.html = html;
>>> 113:             const response = await this.fetch(`/notes`, undefined, { method: 'POST', body });
    114:             return response;
    115:         }
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    127:             if (html)
    128:                 body.html = html;
>>> 129:             const response = await this.fetch(`/notes/${noteId}`, undefined, { method: 'PUT', body });
    130:             return response;
    131:         }
Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical15
Feb 23, 2026critical15
Feb 22, 2026critical15