@hypertrack/mcp-server
v0.1.16HyperTrack MCP Server - Query your HyperTrack account through AI assistants
15
Total
8
Critical
3
High
4
Medium
Findings
unknownEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
3: import { createServer } from "./server.js";
4: const accountId = process.env.HYPERTRACK_ACCOUNT_ID;
>>> 5: const secretKey = process.env.HYPERTRACK_SECRET_KEY;
6: if (!accountId || !secretKey) {
7: console.error("Error: HYPERTRACK_ACCOUNT_ID and HYPERTRACK_SECRET_KEY environment variables are required.");Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
5: import { createServer } from "./server.js";
6: const port = parseInt(process.env.PORT ?? "3000", 10);
>>> 7: const host = process.env.HOST ?? "127.0.0.1";
8: const corsOrigin = process.env.CORS_ORIGIN ?? "*";
9: const accountId = process.env.HYPERTRACK_ACCOUNT_ID;Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
4: import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
5: import { createServer } from "./server.js";
>>> 6: const port = parseInt(process.env.PORT ?? "3000", 10);
7: const host = process.env.HOST ?? "127.0.0.1";
8: const corsOrigin = process.env.CORS_ORIGIN ?? "*";Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
2: import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
3: import { createServer } from "./server.js";
>>> 4: const accountId = process.env.HYPERTRACK_ACCOUNT_ID;
5: const secretKey = process.env.HYPERTRACK_SECRET_KEY;
6: if (!accountId || !secretKey) {Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
11: accountId,
12: secretKey,
>>> 13: baseUrl: process.env.HYPERTRACK_API_BASE_URL,
14: });
15: const transport = new StdioServerTransport();Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
6: const port = parseInt(process.env.PORT ?? "3000", 10);
7: const host = process.env.HOST ?? "127.0.0.1";
>>> 8: const corsOrigin = process.env.CORS_ORIGIN ?? "*";
9: const accountId = process.env.HYPERTRACK_ACCOUNT_ID;
10: const secretKey = process.env.HYPERTRACK_SECRET_KEY;Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
7: const host = process.env.HOST ?? "127.0.0.1";
8: const corsOrigin = process.env.CORS_ORIGIN ?? "*";
>>> 9: const accountId = process.env.HYPERTRACK_ACCOUNT_ID;
10: const secretKey = process.env.HYPERTRACK_SECRET_KEY;
11: if (!accountId || !secretKey) {Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
8: const corsOrigin = process.env.CORS_ORIGIN ?? "*";
9: const accountId = process.env.HYPERTRACK_ACCOUNT_ID;
>>> 10: const secretKey = process.env.HYPERTRACK_SECRET_KEY;
11: if (!accountId || !secretKey) {
12: console.error("Error: HYPERTRACK_ACCOUNT_ID and HYPERTRACK_SECRET_KEY environment variables are required.");Decoded base64 content: J�b�'���ӭ�즊�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: J�b�'���ӭ�즊�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: �{ �Ȩ�)�&��7�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.7 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveJavaScript fetch() call
Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.
16: }
17: const token = await this.tokenManager.getToken();
>>> 18: const response = await fetch(url.toString(), {
19: method: "GET",
20: headers: {JavaScript fetch() call
Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.
25: async refreshToken() {
26: const basicAuth = Buffer.from(`${this.config.accountId}:${this.config.secretKey}`).toString("base64");
>>> 27: const response = await fetch(`${this.config.baseUrl}/oauth/token`, {
28: method: "POST",
29: headers: {High-entropy string (4.7 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positive