ICUICU
critical

mrseanchow/cowsay-mcp

vlatest

Cowsay MCP Server, providing ASCII art cow capabilities for LLMs. This implementation allows language models to generate fun ASCII art cows with custom messages.

SmitherymrseanchowFirst seen Feb 23, 2026Source

12

Total

3

Critical

8

High

1

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    209:     // Get configuration from environment variables
    210:     const serverToken = process.env.SERVER_TOKEN;
>>> 211:     const caseSensitive = process.env.CASE_SENSITIVE === 'true';
    212: 
    213:     // Create server with configuration
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    1: .smithery
    2: node_modules
>>> 3: .env
    4: dist
    5: package-lock.json
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    208: async function main() {
    209:     // Get configuration from environment variables
>>> 210:     const serverToken = process.env.SERVER_TOKEN;
    211:     const caseSensitive = process.env.CASE_SENSITIVE === 'true';
    212:
Report false positive
highSC-005Suspicious CommandsMedium ConfidenceLine 0

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    13: import cowsay from 'cowsay';
    14: import { COWSAY, COWTHINK, LIST_COWS, GET_VERSION } from './tools.js';
>>> 15: import { exec } from 'child_process';
    16: import { promisify } from 'util';
    17: const execAsync = promisify(exec);
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��bu�^I��z�q�,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��bu�^I��z�q�,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��bu�^I��z�q�,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��bu�^I��z�q�,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��bu�^I��z�q�,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 26, 2026critical12
Feb 23, 2026critical12