critical

@variflight-ai/variflight-mcp

v1.0.1

Variflight MCP Server

npmliyuanzhengFirst seen Feb 24, 2026Source

Total

Critical

High

Medium

Findings

unknown

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7:     },
    8:     api: {
>>> 9:         baseUrl: process.env.VARIFLIGHT_API_URL || 'https://mcp.variflight.com/api/v1/mcp/data',
    10:         apiKey: process.env.X_VARIFLIGHT_KEY || process.env.VARIFLIGHT_API_KEY,
    11:     },

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    8:     api: {
    9:         baseUrl: process.env.VARIFLIGHT_API_URL || 'https://mcp.variflight.com/api/v1/mcp/data',
>>> 10:         apiKey: process.env.X_VARIFLIGHT_KEY || process.env.VARIFLIGHT_API_KEY,
    11:     },
    12: };

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ~�n��"��+�g��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    7:             params: params
    8:         };
>>> 9:         const response = await fetch(url.toString(), {
    10:             method: 'post',
    11:             headers: {

Report false positive