ICUICU
critical

@uidbai/mcp-server

v0.3.16

UIDB Design System MCP Server for AI coding tools

npmbibtorFirst seen Feb 22, 2026

17

Total

2

Critical

10

High

5

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    23: function loadCredentialsFromEnv() {
    24:     const apiKey = process.env.UIDB_API_KEY;
>>> 25:     const projectSlug = process.env.UIDB_PROJECT_SLUG;
    26:     if (!apiKey || !projectSlug) {
    27:         return null;
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    22:  */
    23: function loadCredentialsFromEnv() {
>>> 24:     const apiKey = process.env.UIDB_API_KEY;
    25:     const projectSlug = process.env.UIDB_PROJECT_SLUG;
    26:     if (!apiKey || !projectSlug) {
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��� ��z{bj[����ƥ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��Kz��*�u�퉩l=�a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��� ��z{bj[����ƥ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���*�u�퉩l=�a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���*�u�퉩l=�a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���*�u�퉩l=�a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���.��*�u�퉩l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���*�u�퉩l=�a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���*�u�퉩l=�a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��Kz��*�u�퉩l=�a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    33:             fetchOptions.body = JSON.stringify(body);
    34:         }
>>> 35:         const response = await fetch(url, fetchOptions);
    36:         // Handle authentication errors
    37:         if (response.status === 401) {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    214: export async function exchangeToken(oneTimeToken) {
    215:     try {
>>> 216:         const response = await fetch(`${UIDB_API_URL}/api/auth/mcp/exchange`, {
    217:             method: "POST",
    218:             headers: {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    253:     }
    254:     try {
>>> 255:         const response = await fetch(`${UIDB_API_URL}/api/auth/mcp/refresh`, {
    256:             method: "POST",
    257:             headers: {
Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical17
Feb 23, 2026critical17
Feb 22, 2026critical17