@zeplin/mcp-server

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    32:     "lint": "eslint --ext .ts src",
    33:     "lint:fix": "eslint --ext .ts --fix src",
>>> 34:     "inspect": "source .env && npx @modelcontextprotocol/inspector -e ZEPLIN_ACCESS_TOKEN=$ZEPLIN_ACCESS_TOKEN node dist/index.js",
    35:     "prepublishOnly": "npm run lint && npm run build"
    36:   },

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5:  * Initialize the Zeplin API client
    6:  */
>>> 7: export const api = new ZeplinApi(new Configuration({ accessToken: process.env.ZEPLIN_ACCESS_TOKEN }));
    8: /**
    9:  * Fetches design tokens for a project

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    84: ```
    85: 
>>> 86: To run `npm run inspect`, create an `.env` file first in the root directory:
    87: 
    88: ```bash

Decoded base64 content: ��^��'��m��-��%��d

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: {"timeout":600,"command":"npx -y @zeplin/mcp-server@latest","env":{"ZEPLIN_ACCESS_TOKEN":"Your Zepli

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: u����b��-�g)�)쵩e

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��a��?ʋ���+y��~)^

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��b����k�Ǭ�)�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: }�\����- �"�t���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �w%�׋�yu+r��.�׬

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �w%�׋�yu+r��.�׬

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Rr��� �֭���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    17:     }
    18:     try {
>>> 19:         const response = await fetch(url, {
    20:             method: "GET",
    21:             headers: {

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    31: 
    32: 
>>> 33: [![Install MCP Server](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=zeplin&config=eyJ0aW1lb3V0Ijo2MDAsImNvbW1hbmQiOiJucHggLXkgQHplcGxpbi9tY3Atc2VydmVyQGxhdGVzdCIsImVudiI6eyJaRVBMSU5fQUNDRVNTX1RPS0VOIjoiWW91ciBaZXBsaW4gUGVyc29uYWwgQWNjZXNzIFRva2VuIn19)
    34: 
    35: **For VS Code users:**

High-entropy string (5.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    63:         const fileName = assetId + fileExtension;
    64:         const filePath = path.join(localDir, fileName);
>>> 65:         const response = await fetch(assetUrl);
    66:         if (!response.ok) {
    67:             return createErrorResponse(`Failed to download asset: Server responded with ${response.status}`);