critical

openapi-mcp-generator

v3.2.0

Generates MCP server code from OpenAPI specifications

npmharshasurisettyFirst seen Feb 22, 2026

Total

Critical

High

Medium

Findings

unknown

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    217:                 
    218:                 // Check for client credentials for auto-acquisition
>>> 219:                 if (process.env[\`OAUTH_CLIENT_ID_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] &&
    220:                     process.env[\`OAUTH_CLIENT_SECRET_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`]) {
    221:                     // Verify we have a supported flow

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    109:         console.error('Generating Jest config...');
    110:         const jestConfigContent = generateJestConfig();
>>> 111:         console.error('Generating .env.example file...');
    112:         const envExampleContent = generateEnvExample(api.components?.securitySchemes);
    113:         console.error('Generating OAuth2 documentation...');

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    60:     const prettierPath = path.join(outputDir, '.prettierrc');
    61:     const jestConfigPath = path.join(outputDir, 'jest.config.js');
>>> 62:     const envExamplePath = path.join(outputDir, '.env.example');
    63:     const docsDir = path.join(outputDir, 'docs');
    64:     const oauth2DocsPath = path.join(docsDir, 'oauth2-configuration.md');

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    68:  */
    69: 
>>> 70: // Load environment variables from .env file
    71: import dotenv from 'dotenv';
    72: dotenv.config();

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    80: export const config = {
    81:   port: process.env.PORT || '3000',
>>> 82:   logLevel: process.env.LOG_LEVEL || 'info',
    83: };
    84: `;

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    79: 
    80: export const config = {
>>> 81:   port: process.env.PORT || '3000',
    82:   logLevel: process.env.LOG_LEVEL || 'info',
    83: };

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    74: 
    75: if (result.error) {
>>> 76:   console.warn('Warning: No .env file found or error loading .env file.');
    77:   console.warn('Using default environment variables.');
    78: }

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    71: 
    72: // Load environment variables from .env file
>>> 73: const result = dotenv.config({ path: path.resolve(__dirname, '../.env') });
    74: 
    75: if (result.error) {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    70: const __dirname = path.dirname(__filename);
    71: 
>>> 72: // Load environment variables from .env file
    73: const result = dotenv.config({ path: path.resolve(__dirname, '../.env') });
    74:

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    61:     return `
    62: /**
>>> 63:  * Load environment variables from .env file
    64:  */
    65: import dotenv from 'dotenv';

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    8: export function generateEnvExample(securitySchemes) {
    9:     let content = `# MCP Server Environment Variables
>>> 10: # Copy this file to .env and fill in the values
    11: 
    12: # Server configuration

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    212:             if (scheme.type === 'oauth2') {
    213:                 // Check for pre-existing token
>>> 214:                 if (process.env[\`OAUTH_TOKEN_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`]) {
    215:                     return true;
    216:                 }

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    205:                 else if (scheme.scheme?.toLowerCase() === 'basic') {
    206:                     return !!process.env[\`BASIC_USERNAME_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] && 
>>> 207:                            !!process.env[\`BASIC_PASSWORD_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    208:                 }
    209:             }

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    4:  *
    5:  * @param securitySchemes Security schemes from the OpenAPI spec
>>> 6:  * @returns Content for .env.example file
    7:  */
    8: export function generateEnvExample(securitySchemes) {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    1: import { getEnvVarName } from '../utils/security.js';
    2: /**
>>> 3:  * Generates the content of .env.example file for the MCP server
    4:  *
    5:  * @param securitySchemes Security schemes from the OpenAPI spec

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    204:                 }
    205:                 else if (scheme.scheme?.toLowerCase() === 'basic') {
>>> 206:                     return !!process.env[\`BASIC_USERNAME_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] && 
    207:                            !!process.env[\`BASIC_PASSWORD_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    208:                 }

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    201:             if (scheme.type === 'http') {
    202:                 if (scheme.scheme?.toLowerCase() === 'bearer') {
>>> 203:                     return !!process.env[\`BEARER_TOKEN_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    204:                 }
    205:                 else if (scheme.scheme?.toLowerCase() === 'basic') {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    195:             // API Key security (header, query, cookie)
    196:             if (scheme.type === 'apiKey') {
>>> 197:                 return !!process.env[\`API_KEY_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    198:             }
    199:

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    92:         const clientId = process.env[\`${getEnvVarName('schemeName', 'OAUTH_CLIENT_ID')}\`];
    93:         const clientSecret = process.env[\`${getEnvVarName('schemeName', 'OAUTH_CLIENT_SECRET')}\`];
>>> 94:         const scopes = process.env[\`${getEnvVarName('schemeName', 'OAUTH_SCOPES')}\`];
    95:         
    96:         if (!clientId || !clientSecret) {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7:  *
    8:  * @param securitySchemes Security schemes from the OpenAPI spec
>>> 9:  * @returns Content for .env.example file
    10:  */
    11: export declare function generateEnvExample(securitySchemes?: OpenAPIV3.ComponentsObject['securitySchemes']): string;

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    4: import { OpenAPIV3 } from 'openapi-types';
    5: /**
>>> 6:  * Generates the content of .env.example file for the MCP server
    7:  *
    8:  * @param securitySchemes Security schemes from the OpenAPI spec

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    1: /**
>>> 2:  * Generator for .env file and .env.example file
    3:  */
    4: import { OpenAPIV3 } from 'openapi-types';

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    93: ├── package.json
    94: ├── tsconfig.json
>>> 95: ├── .env.example
    96: ├── src/
    97: │   ├── index.ts

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    93: 
    94: # Environment variables
>>> 95: .env
    96: .env.local
    97: .env.development.local

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    94: # Environment variables
    95: .env
>>> 96: .env.local
    97: .env.development.local
    98: .env.test.local

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    95: .env
    96: .env.local
>>> 97: .env.development.local
    98: .env.test.local
    99: .env.production.local

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    96: .env.local
    97: .env.development.local
>>> 98: .env.test.local
    99: .env.production.local
    100:

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    97: .env.development.local
    98: .env.test.local
>>> 99: .env.production.local
    100: 
    101: # OS specific

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    91:         // Check if we have the necessary credentials
    92:         const clientId = process.env[\`${getEnvVarName('schemeName', 'OAUTH_CLIENT_ID')}\`];
>>> 93:         const clientSecret = process.env[\`${getEnvVarName('schemeName', 'OAUTH_CLIENT_SECRET')}\`];
    94:         const scopes = process.env[\`${getEnvVarName('schemeName', 'OAUTH_SCOPES')}\`];
    95:

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    90:     try {
    91:         // Check if we have the necessary credentials
>>> 92:         const clientId = process.env[\`${getEnvVarName('schemeName', 'OAUTH_CLIENT_ID')}\`];
    93:         const clientSecret = process.env[\`${getEnvVarName('schemeName', 'OAUTH_CLIENT_SECRET')}\`];
    94:         const scopes = process.env[\`${getEnvVarName('schemeName', 'OAUTH_SCOPES')}\`];

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    51:         else if (scheme.scheme?.toLowerCase() === 'basic') {
    52:             const username = process.env[\`${getEnvVarName(schemeName, 'BASIC_USERNAME')}\`];
>>> 53:             const password = process.env[\`${getEnvVarName(schemeName, 'BASIC_PASSWORD')}\`];
    54:             if (username && password) {
    55:                 headers['authorization'] = \`Basic \${Buffer.from(\`\${username}:\${password}\`).toString('base64')}\`;

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    305:             // OpenID Connect
    306:             else if (scheme?.type === 'openIdConnect') {
>>> 307:                 const token = process.env[\`OPENID_TOKEN_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    308:                 if (token) {
    309:                     headers['authorization'] = \`Bearer \${token}\`;

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    283:             else if (scheme?.type === 'oauth2') {
    284:                 // First try to use a pre-provided token
>>> 285:                 let token = process.env[\`OAUTH_TOKEN_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    286:                 
    287:                 // If no token but we have client credentials, try to acquire a token

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    273:                 else if (scheme.scheme?.toLowerCase() === 'basic') {
    274:                     const username = process.env[\`BASIC_USERNAME_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
>>> 275:                     const password = process.env[\`BASIC_PASSWORD_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    276:                     if (username && password) {
    277:                         headers['authorization'] = \`Basic \${Buffer.from(\`\${username}:\${password}\`).toString('base64')}\`;

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    272:                 } 
    273:                 else if (scheme.scheme?.toLowerCase() === 'basic') {
>>> 274:                     const username = process.env[\`BASIC_USERNAME_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    275:                     const password = process.env[\`BASIC_PASSWORD_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    276:                     if (username && password) {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    265:             else if (scheme?.type === 'http') {
    266:                 if (scheme.scheme?.toLowerCase() === 'bearer') {
>>> 267:                     const token = process.env[\`BEARER_TOKEN_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    268:                     if (token) {
    269:                         headers['authorization'] = \`Bearer \${token}\`;

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    245:             // API Key security
    246:             if (scheme?.type === 'apiKey') {
>>> 247:                 const apiKey = process.env[\`API_KEY_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    248:                 if (apiKey) {
    249:                     if (scheme.in === 'header') {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    230:             // OpenID Connect
    231:             if (scheme.type === 'openIdConnect') {
>>> 232:                 return !!process.env[\`OPENID_TOKEN_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
    233:             }
    234:

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    218:                 // Check for client credentials for auto-acquisition
    219:                 if (process.env[\`OAUTH_CLIENT_ID_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] &&
>>> 220:                     process.env[\`OAUTH_CLIENT_SECRET_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`]) {
    221:                     // Verify we have a supported flow
    222:                     if (scheme.flows?.clientCredentials || scheme.flows?.password) {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    50:         } 
    51:         else if (scheme.scheme?.toLowerCase() === 'basic') {
>>> 52:             const username = process.env[\`${getEnvVarName(schemeName, 'BASIC_USERNAME')}\`];
    53:             const password = process.env[\`${getEnvVarName(schemeName, 'BASIC_PASSWORD')}\`];
    54:             if (username && password) {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    44:     else if (scheme?.type === 'http') {
    45:         if (scheme.scheme?.toLowerCase() === 'bearer') {
>>> 46:             const token = process.env[\`${getEnvVarName(schemeName, 'BEARER_TOKEN')}\`];
    47:             if (token) {
    48:                 headers['authorization'] = \`Bearer \${token}\`;

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    20:     return `
    21:     if (scheme?.type === 'apiKey') {
>>> 22:         const apiKey = process.env[\`${getEnvVarName(schemeName, 'API_KEY')}\`];
    23:         if (apiKey) {
    24:             if (scheme.in === 'header') {

Report false positive

highSC-003Suspicious CommandsMedium ConfidenceLine 0

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    82:     const params = [];
    83:     let match;
>>> 84:     while ((match = paramRegex.exec(urlTemplate)) !== null) {
    85:         params.push(match[1]);
    86:     }

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��^��'��m��-��%��d

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݡ�?��jب��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^N�(��&�'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ~��x*'�+-z{Bjȧ��ŊW�jg�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^�b�Ш��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^�^��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^�b�Ш��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^�^��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highSC-004Suspicious CommandsMedium ConfidenceLine 0

Dynamic code evaluation via eval()

Detected by automated pattern matching (rule SC-004) with medium confidence. May be a false positive.

    209:     try {
    210:         const zodSchemaString = jsonSchemaToZod(jsonSchema);
>>> 211:         const zodSchema = eval(zodSchemaString);
    212:         if (typeof zodSchema?.parse !== 'function') { 
    213:             throw new Error('Eval did not produce a valid Zod schema.');

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^.+-N�%�v�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: �+-N�%�v�vW� �^

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^.+-N�%�v�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'��ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'��ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��.�+rEꮊ��z{l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: �+-N�%�v�vW� �^

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^J��jf��٥

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: %#�D��z��䜅�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: %#�D��z��䜅�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^N�(��&�'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^J��jf��٥

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^N�(��&�'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^�b�Ш��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^J��jf��٥

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ޭ�^�iI�.�+r �^

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��.�+rEꮊ��z{l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��.�+rEꮊ��z{l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��.�+rEꮊ��z{l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    466:         log('REQUEST', JSON.stringify(requestBody));
    467:         
>>> 468:         const response = await fetch('/mcp', {
    469:           method: 'POST',
    470:           headers: {

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    528:         log('REQUEST', JSON.stringify(requestBody));
    529:         
>>> 530:         const response = await fetch('/mcp', {
    531:           method: 'POST',
    532:           headers: {

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    580:         log('REQUEST', JSON.stringify(requestBody));
    581:         
>>> 582:         const response = await fetch('/mcp', {
    583:           method: 'POST',
    584:           headers: {

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    613:         \`\${apiEndpoint}?sessionId=\${sessionId}\`;
    614:       
>>> 615:       const response = await fetch(fullEndpoint, {
    616:         method: 'POST',
    617:         headers: {

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

Date	Risk	Findings	Files	Duration
Feb 25, 2026	critical	89	59	0.00s
Feb 23, 2026	critical	89	59	0.00s
Feb 22, 2026	critical	89	59	0.00s