@zeeshan8281/mcp
MCP tool integration for meshkit
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped MCP integration package; name similarity to 'yup' is coincidental, not impersonation. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is used to pass env vars to StdioClientTransport subprocess — standard MCP SDK pattern, not exfiltration. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.1.0 | 2 / 2 |
v0.1.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/zeeshan8281/meshkit/blob/1ce47afe220404384e0a31f67ab9bcb3613200d8/src/index.ts#L35 33 | const packageName = url.replace('npx:', ''); 34 | const env = Object.fromEntries( > 35 | Object.entries({ ...process.env, ...opts?.env }).filter((entry): entry is [string, string] => entry[1] !== undefin 36 | ); 37 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/zeeshan8281/meshkit/blob/1ce47afe220404384e0a31f67ab9bcb3613200d8/src/index.ts#L60 58 | if (opts?.command) { 59 | const cmdEnv = Object.fromEntries( > 60 | Object.entries({ ...process.env, ...opts.env }).filter((entry): entry is [string, string] => entry[1] !== undefine 61 | ); 62 | const transport = new StdioClientTransport({
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.