← Home

@modelcontextprotocol/inspector-client

npm Repository Homepage
2
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

jspahrsummerspcarletonfweinbergerthedspashwin-antochafik

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Standard child-process spawn pattern passing env vars; not exfiltration. ai
bogus-package bogus-package AI (bogus-package): Official MCP org package with provenance; README links are legitimate project URLs. ai

Versions (showing 2 of 2)

Version Deps Published
0.22.0 27 / 26
0.19.0 25 / 26

v0.22.0

5 findings
HIGH env-spread: bin/start.js:46 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/modelcontextprotocol/inspector/blob/0ba1b8d1d8852e2f179f5a1945895ef97a91459f/bin/start.js#L46 44 | const spawnOptions = { 45 | cwd: resolve(__dirname, "../..", "server"), > 46 | env: { 47 | ...process.env, 48 | SERVER_PORT,

HIGH env-spread: bin/start.js:115 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/modelcontextprotocol/inspector/blob/0ba1b8d1d8852e2f179f5a1945895ef97a91459f/bin/start.js#L115 113 | ], 114 | { > 115 | env: { 116 | ...process.env, 117 | SERVER_PORT,

HIGH env-spread: bin/start.js:149 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/modelcontextprotocol/inspector/blob/0ba1b8d1d8852e2f179f5a1945895ef97a91459f/bin/start.js#L149 147 | const spawnOptions = { 148 | cwd: resolve(__dirname, ".."), > 149 | env: { ...process.env, CLIENT_PORT }, 150 | signal: abort.signal, 151 | echoOutput: true,

HIGH env-spread: bin/start.js:216 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/modelcontextprotocol/inspector/blob/0ba1b8d1d8852e2f179f5a1945895ef97a91459f/bin/start.js#L216 214 | 215 | await spawnPromise("node", [inspectorClientPath], { > 216 | env: { 217 | ...process.env, 218 | CLIENT_PORT,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.0

5 findings
HIGH env-spread: bin/start.js:46 semgrep

Spreading entire process.env into an object — may capture all secrets 44 | const spawnOptions = { 45 | cwd: resolve(__dirname, "../..", "server"), > 46 | env: { 47 | ...process.env, 48 | SERVER_PORT,

HIGH env-spread: bin/start.js:113 semgrep

Spreading entire process.env into an object — may capture all secrets 111 | ], 112 | { > 113 | env: { 114 | ...process.env, 115 | SERVER_PORT,

HIGH env-spread: bin/start.js:146 semgrep

Spreading entire process.env into an object — may capture all secrets 144 | const client = spawn(clientCommand, clientArgs, { 145 | cwd: resolve(__dirname, ".."), > 146 | env: { ...process.env, CLIENT_PORT }, 147 | signal: abort.signal, 148 | echoOutput: true,

HIGH env-spread: bin/start.js:206 semgrep

Spreading entire process.env into an object — may capture all secrets 204 | 205 | await spawnPromise("node", [inspectorClientPath], { > 206 | env: { 207 | ...process.env, 208 | CLIENT_PORT,

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.