This repository may not be an MCP server

We could not detect MCP SDK imports or tool registrations.

awesome-mcp-servers

punkpeye/awesome-mcp-servers

1 files · 11 findings

Share GitHub SARIF JSON

7 critical4 high

Tool Poisoning7 issues

Command Injectionclean

Path Traversal1 issue

SSRFclean

Credential Theftclean

Excessive Permissionsclean

Missing Authclean

Supply Chain

Tool Poisoning7

HTML comment injection in tool description

critical

HTML comments in tool descriptions may contain hidden instructions intended to influence LLM reasoning.

.github/workflows/check-glama.yml:24

const marker = '<!-- welcome-comment -->';

How to fix

Remove HTML comments from description strings. Use source code comments instead.

Path Traversal1

Windows-style path traversal patterns

high

Backslash-based directory traversal patterns targeting Windows file systems.

.github/workflows/check-glama.yml:368

Please update your PR to use a \`https://github.com/...\` repository link.`

How to fix

Normalize path separators and apply traversal checks for both forward and backslashes.

Supply Chain3

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/check-glama.yml:19

uses: actions/github-script@v7

How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

HTML comment injection in tool description

critical

HTML comments in tool descriptions may contain hidden instructions intended to influence LLM reasoning.

.github/workflows/check-glama.yml:235

const marker = '<!-- glama-check -->';

How to fix

Remove HTML comments from description strings. Use source code comments instead.

HTML comment injection in tool description

critical

HTML comments in tool descriptions may contain hidden instructions intended to influence LLM reasoning.

.github/workflows/check-glama.yml:264

const marker = '<!-- glama-badge-check -->';

How to fix

Remove HTML comments from description strings. Use source code comments instead.

HTML comment injection in tool description

critical

HTML comments in tool descriptions may contain hidden instructions intended to influence LLM reasoning.

.github/workflows/check-glama.yml:303

const marker = '<!-- emoji-check -->';

How to fix

Remove HTML comments from description strings. Use source code comments instead.

HTML comment injection in tool description

critical

HTML comments in tool descriptions may contain hidden instructions intended to influence LLM reasoning.

.github/workflows/check-glama.yml:339

const marker = '<!-- duplicate-check -->';

How to fix

Remove HTML comments from description strings. Use source code comments instead.

HTML comment injection in tool description

critical

HTML comments in tool descriptions may contain hidden instructions intended to influence LLM reasoning.

.github/workflows/check-glama.yml:357

const marker = '<!-- url-check -->';

How to fix

Remove HTML comments from description strings. Use source code comments instead.

HTML comment injection in tool description

critical

HTML comments in tool descriptions may contain hidden instructions intended to influence LLM reasoning.

.github/workflows/check-glama.yml:375

const marker = '<!-- name-check -->';

How to fix

Remove HTML comments from description strings. Use source code comments instead.

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/check-glama.yml:57

uses: actions/github-script@v7

How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...