critical
@resourcexjs/mcp-server
v2.9.0ResourceX MCP Server for AI Agents
5
Total
4
Critical
0
High
1
Medium
Findings
unknowncriticalDE-002Data ExfiltrationHigh ConfidenceLine 0
Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
27: function readSharedConfig(): { registry?: string; path?: string } {
28: try {
>>> 29: const rxHome = process.env.RX_HOME || join(homedir(), ".resourcex");
30: const configPath = join(rxHome, "config.json");
31: if (existsSync(configPath)) {criticalDE-002Data ExfiltrationHigh ConfidenceLine 0
Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
50:
51: // Environment variables take precedence over shared config
>>> 52: const registry = process.env.RESOURCEX_REGISTRY ?? sharedConfig.registry;
53: const storagePath = process.env.RESOURCEX_PATH ?? sharedConfig.path;
54: criticalDE-002Data ExfiltrationHigh ConfidenceLine 0
Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
51: // Environment variables take precedence over shared config
52: const registry = process.env.RESOURCEX_REGISTRY ?? sharedConfig.registry;
>>> 53: const storagePath = process.env.RESOURCEX_PATH ?? sharedConfig.path;
54:
55: // Initialize ResourceX clientcriticalDE-002Data ExfiltrationHigh ConfidenceLine 0
Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
49: // but keep the same storage path
50: if (registry && registry !== defaultRegistry) {
>>> 51: const storagePath = process.env.RESOURCEX_PATH;
52: const client = createResourceX({ registry, path: storagePath });
53: await client.push(locator);mediumEN-001unknownMedium ConfidenceLine 0
High-entropy string (4.7 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positive