@jpisnice/shadcn-ui-mcp-server

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    15:         Accept: "application/vnd.github+json",
    16:         "User-Agent": "Mozilla/5.0 (compatible; ShadcnUiMcpServer/1.0.0)",
>>> 17:         ...(process.env.GITHUB_PERSONAL_ACCESS_TOKEN && {
    18:             Authorization: `Bearer ${process.env.GITHUB_PERSONAL_ACCESS_TOKEN}`,
    19:         }),

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    39:     }
    40:     else if (process.env.MCP_CORS_ORIGINS) {
>>> 41:         options.cors = process.env.MCP_CORS_ORIGINS;
    42:     }
    43:     return options;

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    38:         options.cors = argv[corsIndex + 1];
    39:     }
>>> 40:     else if (process.env.MCP_CORS_ORIGINS) {
    41:         options.cors = process.env.MCP_CORS_ORIGINS;
    42:     }

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    31:     }
    32:     else if (process.env.MCP_HOST) {
>>> 33:         options.host = process.env.MCP_HOST;
    34:     }
    35:     // Parse CORS origins

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    30:         options.host = argv[hostIndex + 1];
    31:     }
>>> 32:     else if (process.env.MCP_HOST) {
    33:         options.host = process.env.MCP_HOST;
    34:     }

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    23:     }
    24:     else if (process.env.MCP_PORT) {
>>> 25:         options.port = process.env.MCP_PORT;
    26:     }
    27:     // Parse host

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    22:         options.port = argv[portIndex + 1];
    23:     }
>>> 24:     else if (process.env.MCP_PORT) {
    25:         options.port = process.env.MCP_PORT;
    26:     }

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    15:     }
    16:     else if (process.env.MCP_TRANSPORT_MODE) {
>>> 17:         options.mode = process.env.MCP_TRANSPORT_MODE;
    18:     }
    19:     // Parse port

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    14:         options.mode = argv[modeIndex + 1];
    15:     }
>>> 16:     else if (process.env.MCP_TRANSPORT_MODE) {
    17:         options.mode = process.env.MCP_TRANSPORT_MODE;
    18:     }

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    37:         Accept: "application/vnd.github+json",
    38:         "User-Agent": "Mozilla/5.0 (compatible; ShadcnUiMcpServer/1.0.0)",
>>> 39:         ...(process.env.GITHUB_PERSONAL_ACCESS_TOKEN && {
    40:             Authorization: `Bearer ${process.env.GITHUB_PERSONAL_ACCESS_TOKEN}`,
    41:         }),

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    15:         "User-Agent": "Mozilla/5.0 (compatible; ShadcnUiMcpServer/1.0.0)",
    16:         ...(process.env.GITHUB_PERSONAL_ACCESS_TOKEN && {
>>> 17:             "Authorization": `Bearer ${process.env.GITHUB_PERSONAL_ACCESS_TOKEN}`
    18:         })
    19:     },

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    14:         "Accept": "application/vnd.github+json",
    15:         "User-Agent": "Mozilla/5.0 (compatible; ShadcnUiMcpServer/1.0.0)",
>>> 16:         ...(process.env.GITHUB_PERSONAL_ACCESS_TOKEN && {
    17:             "Authorization": `Bearer ${process.env.GITHUB_PERSONAL_ACCESS_TOKEN}`
    18:         })

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    16:         "User-Agent": "Mozilla/5.0 (compatible; ShadcnUiMcpServer/1.0.0)",
    17:         ...(process.env.GITHUB_PERSONAL_ACCESS_TOKEN && {
>>> 18:             Authorization: `Bearer ${process.env.GITHUB_PERSONAL_ACCESS_TOKEN}`,
    19:         }),
    20:     },

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    35:     }
    36:     // Check environment variable
>>> 37:     const envFramework = process.env.FRAMEWORK?.toLowerCase();
    38:     if (envFramework === "react" ||
    39:         envFramework === "svelte" ||

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    16:         "User-Agent": "Mozilla/5.0 (compatible; ShadcnUiMcpServer/1.0.0)",
    17:         ...(process.env.GITHUB_PERSONAL_ACCESS_TOKEN && {
>>> 18:             "Authorization": `Bearer ${process.env.GITHUB_PERSONAL_ACCESS_TOKEN}`
    19:         })
    20:     },

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    15:         "Accept": "application/vnd.github+json",
    16:         "User-Agent": "Mozilla/5.0 (compatible; ShadcnUiMcpServer/1.0.0)",
>>> 17:         ...(process.env.GITHUB_PERSONAL_ACCESS_TOKEN && {
    18:             "Authorization": `Bearer ${process.env.GITHUB_PERSONAL_ACCESS_TOKEN}`
    19:         })

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    38:         "User-Agent": "Mozilla/5.0 (compatible; ShadcnUiMcpServer/1.0.0)",
    39:         ...(process.env.GITHUB_PERSONAL_ACCESS_TOKEN && {
>>> 40:             Authorization: `Bearer ${process.env.GITHUB_PERSONAL_ACCESS_TOKEN}`,
    41:         }),
    42:     },

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7:     }
    8:     else if (process.env.GITHUB_PERSONAL_ACCESS_TOKEN) {
>>> 9:         options.githubApiKey = process.env.GITHUB_PERSONAL_ACCESS_TOKEN;
    10:     }
    11:     // Parse transport mode

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6:         options.githubApiKey = argv[githubApiKeyIndex + 1];
    7:     }
>>> 8:     else if (process.env.GITHUB_PERSONAL_ACCESS_TOKEN) {
    9:         options.githubApiKey = process.env.GITHUB_PERSONAL_ACCESS_TOKEN;
    10:     }

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    384:     const importRegex = /import\s+.*?\s+from\s+['"]([@\w\/\-\.]+)['"]/g;
    385:     let match;
>>> 386:     match = importRegex.exec(code);
    387:     while (match !== null) {
    388:         const dep = match[1];

Decoded base64 content: ��B�jh���1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"��� �^�קr'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"��� �^�קr'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��B�jh���1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ~��jШ��'z{Mjg��&��֥

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    390:             dependencies.push(dep);
    391:         }
>>> 392:         match = importRegex.exec(code);
    393:     }
    394:     return [...new Set(dependencies)]; // Remove duplicates

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    404:     const importRegex = /import\s+\{([^}]+)\}\s+from/g;
    405:     let match;
>>> 406:     match = importRegex.exec(code);
    407:     while (match !== null) {
    408:         const imports = match[1].split(',').map(imp => imp.trim());

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    412:             }
    413:         });
>>> 414:         match = importRegex.exec(code);
    415:     }
    416:     // Also look for JSX components in the code

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    416:     // Also look for JSX components in the code
    417:     const jsxRegex = /<([A-Z]\w+)/g;
>>> 418:     match = jsxRegex.exec(code);
    419:     while (match !== null) {
    420:         components.push(match[1]);

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    419:     while (match !== null) {
    420:         components.push(match[1]);
>>> 421:         match = jsxRegex.exec(code);
    422:     }
    423:     return [...new Set(components)]; // Remove duplicates

Decoded base64 content: ��B�jh���1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"��� �^�קr'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"��� �^�קr'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"��� �^�קr'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"��� �^�קr'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��B�jh���1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    266:         if (filesMatch) {
    267:             let m;
>>> 268:             while ((m = filePathRegex.exec(filesMatch[1])) !== null) {
    269:                 files.push(m[1]);
    270:             }

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    461:     const scriptRegex = /<script.*?>([\s\S]*?)<\/script>/g;
    462:     let scriptMatch;
>>> 463:     while ((scriptMatch = scriptRegex.exec(code)) !== null) {
    464:         const scriptContent = scriptMatch[1];
    465:         const importRegex = /import\s+.*?\s+from\s+['"]([@\w\/\-\.]+)['"]/g;

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    465:         const importRegex = /import\s+.*?\s+from\s+['"]([@\w\/\-\.]+)['"]/g;
    466:         let importMatch;
>>> 467:         while ((importMatch = importRegex.exec(scriptContent)) !== null) {
    468:             const dep = importMatch[1];
    469:             if (!dep.startsWith("./") &&

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    491:         const componentRegex = /<([A-Z]\w+|[a-z]+-[a-z-]+)/g;
    492:         let match;
>>> 493:         while ((match = componentRegex.exec(templateContent)) !== null) {
    494:             components.push(match[1]);
    495:         }

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    502:         const importRegex = /import\s+\{([^}]+)\}\s+from/g;
    503:         let match;
>>> 504:         while ((match = importRegex.exec(scriptContent)) !== null) {
    505:             const imports = match[1].split(",").map((imp) => imp.trim());
    506:             imports.forEach((imp) => {

Decoded base64 content: ~��jШ��'z{Mjg��&��֥

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ~��jШ��'z{Mjg��&��֥

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��B�jh���1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"��� �^�קr'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"��� �^�קr'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��AjȜV璶�����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: {ki�U�ਚ�'z{T��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��AjȜV璶�����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: {ki�U�ਚ�'z{T��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: {ki�U�ਚ�'z{T��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��B�jh���1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    391:     const importRegex = /import\s+.*?\s+from\s+['"]([@\w\/\-\.]+)['"]/g;
    392:     let match;
>>> 393:     match = importRegex.exec(code);
    394:     while (match !== null) {
    395:         const dep = match[1];

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    397:             dependencies.push(dep);
    398:         }
>>> 399:         match = importRegex.exec(code);
    400:     }
    401:     return [...new Set(dependencies)]; // Remove duplicates

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    411:     const importRegex = /import\s+\{([^}]+)\}\s+from/g;
    412:     let match;
>>> 413:     match = importRegex.exec(code);
    414:     while (match !== null) {
    415:         const imports = match[1].split(',').map(imp => imp.trim());

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    419:             }
    420:         });
>>> 421:         match = importRegex.exec(code);
    422:     }
    423:     // Also look for JSX components in the code

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    423:     // Also look for JSX components in the code
    424:     const jsxRegex = /<([A-Z]\w+)/g;
>>> 425:     match = jsxRegex.exec(code);
    426:     while (match !== null) {
    427:         components.push(match[1]);

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    426:     while (match !== null) {
    427:         components.push(match[1]);
>>> 428:         match = jsxRegex.exec(code);
    429:     }
    430:     return [...new Set(components)]; // Remove duplicates

Decoded base64 content: ��B�jh���1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"��� �^�קr'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��B�jh���1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    58:      * @returns The cached or computed value
    59:      */
>>> 60:     async getOrFetch(key, fetchFn, ttl = this.defaultTTL) {
    61:         const cachedValue = this.get(key);
    62:         if (cachedValue !== null) {

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.