ICUICU
critical

@skanda-yutori/mcp-send-email

v1.0.0

MCP server for sending emails via Resend API

npmskanda-yutoriFirst seen Feb 22, 2026Source

7

Total

4

Critical

2

High

1

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    8: const argv = minimist(process.argv.slice(2));
    9: // Get API key from command line argument or fall back to environment variable
>>> 10: const apiKey = argv.key || process.env.RESEND_API_KEY;
    11: // Get sender email address from command line argument or fall back to environment variable
    12: // Optional.
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    11: // Get sender email address from command line argument or fall back to environment variable
    12: // Optional.
>>> 13: const senderEmailAddress = argv.sender || process.env.SENDER_EMAIL_ADDRESS;
    14: // Get reply to email addresses from command line argument or fall back to environment variable
    15: let replierEmailAddresses = [];
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    20:     replierEmailAddresses = [argv["reply-to"]];
    21: }
>>> 22: else if (process.env.REPLY_TO_EMAIL_ADDRESSES) {
    23:     replierEmailAddresses = process.env.REPLY_TO_EMAIL_ADDRESSES.split(",");
    24: }
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    21: }
    22: else if (process.env.REPLY_TO_EMAIL_ADDRESSES) {
>>> 23:     replierEmailAddresses = process.env.REPLY_TO_EMAIL_ADDRESSES.split(",");
    24: }
    25: if (!apiKey) {
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical7
Feb 23, 2026critical7
Feb 22, 2026critical7