Package names that are common misspellings of popular packages may be typosquatting attacks.
"axios": "^1.6.7",
Verify package names against the official registry. Use lockfiles and integrity hashes.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const API_KEY = process.env.TAVILY_API_KEY;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
'Authorization': `Bearer ${API_KEY}`,Validate OAuth scopes on every endpoint. Check that the token has required permissions.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("Available tools:");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n- ${tool.name}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Description: ${tool.description}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.