ICUICU
critical

@gleanwork/mcp-server-utils

v0.9.1

Shared utilities for MCP server packages

npmrwjblue-gleanFirst seen Feb 22, 2026

12

Total

6

Critical

3

High

3

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    22: }
    23: function getLocalConfig() {
>>> 24:     const instance = process.env.GLEAN_INSTANCE || process.env.GLEAN_SUBDOMAIN;
    25:     const baseUrl = process.env.GLEAN_URL;
    26:     const token = process.env.GLEAN_API_TOKEN;
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    23: function getLocalConfig() {
    24:     const instance = process.env.GLEAN_INSTANCE || process.env.GLEAN_SUBDOMAIN;
>>> 25:     const baseUrl = process.env.GLEAN_URL;
    26:     const token = process.env.GLEAN_API_TOKEN;
    27:     const actAs = process.env.GLEAN_ACT_AS;
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    24:     const instance = process.env.GLEAN_INSTANCE || process.env.GLEAN_SUBDOMAIN;
    25:     const baseUrl = process.env.GLEAN_URL;
>>> 26:     const token = process.env.GLEAN_API_TOKEN;
    27:     const actAs = process.env.GLEAN_ACT_AS;
    28:     if (token !== undefined) {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    25:     const baseUrl = process.env.GLEAN_URL;
    26:     const token = process.env.GLEAN_API_TOKEN;
>>> 27:     const actAs = process.env.GLEAN_ACT_AS;
    28:     if (token !== undefined) {
    29:         return buildTokenConfig({
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6:     const homeDir = os.homedir();
    7:     // Check for XDG_STATE_HOME first
>>> 8:     const xdgStateHome = process.env.XDG_STATE_HOME;
    9:     if (xdgStateHome) {
    10:         return path.join(xdgStateHome, name);
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    13:     if (platform === 'win32') {
    14:         // Windows: %LOCALAPPDATA%\state\{name}
>>> 15:         const localAppData = process.env.LOCALAPPDATA || path.join(homeDir, 'AppData', 'Local');
    16:         return path.join(localAppData, 'state', name);
    17:     }
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��슉�j��1��l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��슉�j��1��l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��슉�j��1��l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    37:         const controller = new AbortController();
    38:         const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
>>> 39:         const response = await fetch(url, {
    40:             method: 'HEAD',
    41:             signal: controller.signal,
Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    15:         const url = `https://${instance}-be.glean.com/liveness_check`;
    16:         trace(`Checking instance validity with: ${url}`);
>>> 17:         const response = await fetch(url, {
    18:             method: 'GET',
    19:             headers: {
Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical12
Feb 23, 2026critical12
Feb 22, 2026critical12