low

@drawio/mcp

v1.1.2

Official draw.io MCP server for LLMs - Open diagrams in draw.io editor

npmdrawioFirst seen Feb 26, 2026

Total

Critical

High

Medium

Findings

unknown

highSC-005Suspicious CommandsMedium ConfidenceLine 0

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    5: import { ListToolsRequestSchema, CallToolRequestSchema } from "@modelcontextprotocol/sdk/types.js";
    6: import pako from "pako";
>>> 7: import { exec } from "child_process";
    8: 
    9: const DRAWIO_BASE_URL = "https://app.diagrams.net/";

Report false positive

highSC-003Suspicious CommandsMedium ConfidenceLine 0

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    30:   }
    31: 
>>> 32:   exec(command, (error) =>
    33:   {
    34:     if (error)

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'��ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'��ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    107: async function fetchContent(url)
    108: {
>>> 109:   const response = await fetch(url);
    110:   if (!response.ok)
    111:   {

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive