ICUICU
critical

@gleanwork/local-mcp-server

v0.9.1

MCP server for Glean API integration

npmrwjblue-gleanFirst seen Feb 22, 2026

11

Total

2

Critical

7

High

2

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    210:     }
    211:     if (options === null || options === void 0 ? void 0 : options.token) {
>>> 212:         process.env.GLEAN_API_TOKEN = options.token;
    213:     }
    214:     const transport = new StdioServerTransport();
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    207:     // Set environment variables from command line args if provided
    208:     if (options === null || options === void 0 ? void 0 : options.instance) {
>>> 209:         process.env.GLEAN_INSTANCE = options.instance;
    210:     }
    211:     if (options === null || options === void 0 ? void 0 : options.token) {
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��-��b����]�˦z{l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: rX����ץ��(��'z{l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r��z�S��E��.�������-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r��z�S��E��.�������-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: �*^�����˞��9

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    61:         }
    62:     }
>>> 63:     const response = await fetch(`${config.baseUrl}rest/api/v1/getdocuments`, {
    64:         method: 'POST',
    65:         body: JSON.stringify(mappedParams),
Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical11
Feb 23, 2026critical11
Feb 22, 2026critical11