@supermodeltools/mcp-server

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    87:                     recoverable: false,
    88:                     suggestion: 'Set the SUPERMODEL_API_KEY environment variable and restart the MCP server.',
>>> 89:                     details: { apiKeySet: !!process.env.SUPERMODEL_API_KEY, httpStatus: 401 },
    90:                 };
    91:             case 403:

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    97:     // Parse args
    98:     let directory = '';
>>> 99:     let outputDir = process.env.SUPERMODEL_CACHE_DIR || './supermodel-cache';
    100:     let repoName = '';
    101:     for (let i = 0; i < args.length; i++) {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    55:     // Normal MCP server mode — parse flags
    56:     let defaultWorkdir;
>>> 57:     let noApiFallback = !!process.env.SUPERMODEL_NO_API_FALLBACK;
    58:     let precache = false;
    59:     for (const arg of args) {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    191:         await (0, zip_repository_1.cleanupOldZips)(constants_1.ZIP_CLEANUP_AGE_MS);
    192:         // Load pre-computed graphs from cache directory
>>> 193:         const cacheDir = process.env.SUPERMODEL_CACHE_DIR;
    194:         if (cacheDir) {
    195:             try {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    120:         logger.debug('Server configuration:');
    121:         logger.debug('Base URL:', config.basePath);
>>> 122:         logger.debug('API Key set:', !!process.env.SUPERMODEL_API_KEY);
    123:         if (this.defaultWorkdir) {
    124:             logger.debug('Default workdir:', this.defaultWorkdir);

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    115:         const config = new sdk_1.Configuration({
    116:             basePath: process.env.SUPERMODEL_BASE_URL || 'https://api.supermodeltools.com',
>>> 117:             apiKey: process.env.SUPERMODEL_API_KEY,
    118:             fetchApi: fetchWithTimeout,
    119:         });

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    90:     // Sensitive files (CRITICAL - prevent credential leaks)
    91:     '.env',
>>> 92:     '.env.local',
    93:     '.env.*.local',
    94:     '*.pem',

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    114:         });
    115:         const config = new sdk_1.Configuration({
>>> 116:             basePath: process.env.SUPERMODEL_BASE_URL || 'https://api.supermodeltools.com',
    117:             apiKey: process.env.SUPERMODEL_API_KEY,
    118:             fetchApi: fetchWithTimeout,

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    58: const logger = __importStar(require("./utils/logger"));
    59: // Configure HTTP timeout for API requests
>>> 60: const parsedTimeout = parseInt(process.env.SUPERMODEL_TIMEOUT_MS || '', 10);
    61: const TIMEOUT_MS = Number.isFinite(parsedTimeout) && parsedTimeout > 0
    62:     ? parsedTimeout

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    89:     '.DS_Store',
    90:     // Sensitive files (CRITICAL - prevent credential leaks)
>>> 91:     '.env',
    92:     '.env.local',
    93:     '.env.*.local',

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    12: exports.warn = warn;
    13: exports.error = error;
>>> 14: const DEBUG = process.env.DEBUG === 'true';
    15: /**
    16:  * Debug log - only shown when DEBUG=true

SSH directory access

Detected by automated pattern matching (rule DE-001) with medium confidence. May be a false positive.

    104:     '.aws/credentials',
    105:     '.ssh/id_rsa',
>>> 106:     '.ssh/id_ed25519',
    107:     // Large binary files
    108:     '*.mp4',

SSH private key access

Detected by automated pattern matching (rule DE-005) with medium confidence. May be a false positive.

    103:     'serviceaccount.json',
    104:     '.aws/credentials',
>>> 105:     '.ssh/id_rsa',
    106:     '.ssh/id_ed25519',
    107:     // Large binary files

SSH directory access

Detected by automated pattern matching (rule DE-001) with medium confidence. May be a false positive.

    103:     'serviceaccount.json',
    104:     '.aws/credentials',
>>> 105:     '.ssh/id_rsa',
    106:     '.ssh/id_ed25519',
    107:     // Large binary files

AWS credentials access

Detected by automated pattern matching (rule DE-003) with medium confidence. May be a false positive.

    102:     'credentials.json',
    103:     'serviceaccount.json',
>>> 104:     '.aws/credentials',
    105:     '.ssh/id_rsa',
    106:     '.ssh/id_ed25519',

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    176:     const config = new Configuration({
    177:         basePath: process.env.SUPERMODEL_BASE_URL || 'https://api.supermodeltools.com',
>>> 178:         apiKey: process.env.SUPERMODEL_API_KEY,
    179:         fetchApi: fetchWithTimeout,
    180:     });

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    175:     };
    176:     const config = new Configuration({
>>> 177:         basePath: process.env.SUPERMODEL_BASE_URL || 'https://api.supermodeltools.com',
    178:         apiKey: process.env.SUPERMODEL_API_KEY,
    179:         fetchApi: fetchWithTimeout,

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    162:     const { Agent } = require('undici');
    163:     const { DEFAULT_API_TIMEOUT_MS, CONNECTION_TIMEOUT_MS } = require('./constants');
>>> 164:     const parsedTimeout = parseInt(process.env.SUPERMODEL_TIMEOUT_MS || '', 10);
    165:     const timeoutMs = Number.isFinite(parsedTimeout) && parsedTimeout > 0
    166:         ? parsedTimeout

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    114:         process.exit(1);
    115:     }
>>> 116:     if (!process.env.SUPERMODEL_API_KEY) {
    117:         console.error('Error: SUPERMODEL_API_KEY environment variable is required');
    118:         process.exit(1);

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    91:     '.env',
    92:     '.env.local',
>>> 93:     '.env.*.local',
    94:     '*.pem',
    95:     '*.key',

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    165:             recoverable: true,
    166:             suggestion: 'Check network connectivity. Verify the API is reachable at the configured base URL.',
>>> 167:             details: { baseUrl: process.env.SUPERMODEL_BASE_URL || 'https://api.supermodeltools.com' },
    168:         };
    169:     }

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    105:                     recoverable: false,
    106:                     suggestion: 'Check SUPERMODEL_BASE_URL environment variable. Default: https://api.supermodeltools.com',
>>> 107:                     details: { baseUrl: process.env.SUPERMODEL_BASE_URL || 'https://api.supermodeltools.com', httpStatus: 404 },
    108:                 };
    109:             case 429:

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    398:     // Strategy 0 (highest priority): Match by exact commit hash
    399:     try {
>>> 400:         const { execSync } = require('child_process');
    401:         const commitHash = execSync('git rev-parse --short HEAD', {
    402:             cwd: directory, encoding: 'utf-8', timeout: 2000,

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    416:     // Strategy 2: Try git remote (sync, best-effort)
    417:     try {
>>> 418:         const { execSync } = require('child_process');
    419:         const remote = execSync('git remote get-url origin', {
    420:             cwd: directory,

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    469: function detectRepoName(directory) {
    470:     try {
>>> 471:         const { execSync } = require('child_process');
    472:         const remote = execSync('git remote get-url origin', {
    473:             cwd: directory,

Decoded base64 content: ��N�s뢗�� ޱ���+

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ���i�^������

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ���i�^������

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ���i�^������

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    119:     }
    120:     const { resolve, basename, join } = require('path');
>>> 121:     const { execSync } = require('child_process');
    122:     const { existsSync } = require('fs');
    123:     const resolvedDir = resolve(directory);

Decoded base64 content: ��N�s뢗�� ޱ���+

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��N�s뢗�� ޱ���+

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ���i�^������

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    7: exports.generateIdempotencyKey = generateIdempotencyKey;
    8: exports.classifyApiError = classifyApiError;
>>> 9: const child_process_1 = require("child_process");
    10: const crypto_1 = require("crypto");
    11: const path_1 = require("path");

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    25:     try {
    26:         // Get git commit hash
>>> 27:         hash = (0, child_process_1.execSync)('git rev-parse --short HEAD', {
    28:             cwd: directory,
    29:             encoding: 'utf-8',

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    30:         }).trim();
    31:         // Include working tree status in hash to detect uncommitted changes
>>> 32:         const statusOutput = (0, child_process_1.execSync)('git status --porcelain', {
    33:             cwd: directory,
    34:             encoding: 'utf-8',

Decoded base64 content: ��N�s뢗�� ޱ���+

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: i�b�*'jQ1r[����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: i�b�*'jQ1r[����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: i�b�*'jQ1r[����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: i�b�*'jQ1r[����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: i�b�*'jQ1r[����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: i�b�*'jQ1r[����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    172:     });
    173:     const fetchWithTimeout = (url, init) => {
>>> 174:         return fetch(url, { ...init, dispatcher: httpAgent });
    175:     };
    176:     const config = new Configuration({

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    68: });
    69: const fetchWithTimeout = (url, init) => {
>>> 70:     return fetch(url, {
    71:         ...init,
    72:         // @ts-ignore - 'dispatcher' is a valid undici option

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.