cli

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/checkout@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/checkout@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/checkout@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/checkout@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/create-github-app-token@v2

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: googleapis/release-please-action@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/checkout@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/checkout@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/checkout@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/checkout@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/checkout@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/setup-node@v4

preinstall and postinstall scripts in package.json execute automatically during npm install and can run malicious code.

"postinstall": "node scripts/postinstall.js",

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green(`Subscribed to ${pc.bold(topic)}.`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow(msg))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green(`Unsubscribed from ${pc.bold(topic)}.`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(output)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("Publishing to Smithery Registry..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan(`\nResuming latest release for ${qualifiedName}...`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`✓ Release ${result.deploymentId} accepted`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("> Waiting for completion..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`✓ Created server "${qualifiedName}"`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.dim(`[${log.stage}]`)} ${color(log.message)}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green("\n✓ Release successful!"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`${pc.bold("Release ID:")} ${deploymentId}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("\n⚠ OAuth authorization required."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`Please authorize at: ${pc.cyan(authUrl)}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("> Starting local development server..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`> Server starting on port ${pc.green(finalPort)}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("\no/ Shutting down server..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.

logs: parts.join(", ") || pc.dim("none"),

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.green("✓")} Removed ${id}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.red("✗")} ${f.id}: ${f.error}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.green("✓")} Secret "${name}" set for ${server}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.green("✓")} Secret "${name}" deleted from ${server}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.red(`${qualifiedName} is not installed for ${client}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green(`Created and claimed namespace: ${name}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green(`Switched to namespace: ${name}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(namespace)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green(`Switched to namespace: ${name}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(JSON.stringify(message))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan(`Running: ${command}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.bold(pc.cyan(displayName))}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.bold("To install this skill, run:"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(content)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.

console.log(pc.gray("All local credentials have been removed"))

Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.

console.log(pc.yellow("No token found"))

Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.

console.log(`SMITHERY_API_KEY=${apiKey}`)

Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.

console.log(pc.cyan("Token:"), masked)

Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.

console.log(pc.gray("Use --full to display the complete token"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("No servers found."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.bold("Most popular servers:\n"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("Login to Smithery"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green("✓ Successfully logged in"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.gray("You can now use Smithery CLI commands"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("Logging out of Smithery..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green("✓ Successfully logged out"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.gray("All local credentials have been removed"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("No token found"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.gray("Run 'smithery auth login' to authenticate"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`SMITHERY_API_KEY=${apiKey}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("Token:"), masked)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.gray("Use --full to display the complete token"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("Not logged in"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.gray("Run 'smithery auth login' to authenticate"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.bold("Available agents:"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`  ${agent}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(JSON.stringify({ error: message, hint }))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("Could not open browser automatically"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.gray("Please open the link manually"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(pc.green("✓ Initial build complete")))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(pc.green("✓ Built successfully")))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.red("✗ Build failed"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green(`✓ Built MCP server in ${duration}ms`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.red("✗ Build failed"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("\nBuilding shttp bundle for Smithery deploy..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("\nScanning server capabilities..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("\nBuilding stdio bundle for Smithery deploy..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("\nScanning server capabilities..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("\nCopying assets..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`  Copied ${copiedFiles.length} asset(s)`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow(`  Warning: ${warning}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("\nPacking MCPB bundle..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("Opening browser for authentication..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.bold("  If your browser doesn't open, visit:"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.blue(pc.underline(`  ${session.authUrl}`)))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("")

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("")

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("")

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("  ╭─ Add to Client ─────────────────────────────╮"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("  │"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("  ╰────────────────────────────────────────────╯"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("")

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(transformed)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`[Dev] Listening on http://127.0.0.1:${options.port}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`Auto-installing ${spec} (non-interactive)...`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.gray(`[verbose] ${message}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`Using namespace: ${pc.cyan(namespace)}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`[MCP] ${response.status} (${duration}ms)`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${clientProcess} has been restarted.`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`Restarting ${client} app...`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("*"), `${actionDescription} MCP server`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("*"), "Installing MCP server for", pc.cyan(clientName))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan("*"), "Uninstalling server from", pc.cyan(clientName))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow(`No servers installed for ${clientName}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.bold(pc.cyan(displayName))}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(JSON.stringify(jsonData))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(JSON.stringify(record))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(tip))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(header))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(line)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`\n${msg}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`Tip: ${tip}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(JSON.stringify({ ...data, hint: tip }))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(JSON.stringify(data))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.dim(key.padEnd(maxKeyLen))}  ${display}`)

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log()

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`Tip: ${tip}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(JSON.stringify(data))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.gray(" Received exit signal, shutting down..."))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.blue("🚀 Run 'smithery mcp publish' to publish on Smithery"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.gray(`Press Ctrl+C to stop the ${processName}`))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("Installing Bun...")

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("Attempting to install Bun via Homebrew...")

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green("Bun installed successfully!"))

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("Please install Bun manually from https://bun.sh")

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

console.error(pc.yellow("\nThe server requires OAuth authentication."))

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

/* resolve server configuration - only for STDIO since HTTP uses OAuth (handled by client or mcp-remote) */

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

"Skipping config collection - OAuth handled by client or mcp-remote",

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

// Convert HTTP connection to STDIO using mcp-remote (like install does for non-OAuth clients)

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

// No API key needed - OAuth servers track remotely

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

undefined, // No API key needed - OAuth servers track remotely

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers.Authorization = `Bearer ${apiKey}`

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

/** Whether client supports OAuth authentication */

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

supportsOAuth: boolean

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { typeValue: "streamableHttp", supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { typeValue: "remote", supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

http: { supportsOAuth: true },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

"Resume the latest paused publish (e.g., after OAuth authorization)",

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

if (config.oauth) {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

result.oauth = config.oauth

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

result.oauth = config.oauth

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

if (config.oauth) {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

result.oauth = config.oauth

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

result.oauth = config.oauth

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

* Creates HTTP server configuration for clients that support OAuth

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

* Creates STDIO configuration using mcp-remote for HTTP servers with non-OAuth clients

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

case "http-oauth":

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

export type TransportType = "stdio" | "http-oauth" | "http-proxy"

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

if (clientConfig.transports.http?.supportsOAuth) {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

return { type: "http-oauth", needsUserConfig: false }

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

// Use mcp-remote as proxy for clients without OAuth

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const res = await fetch(skillUrl)

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const response = await fetch(url)

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const response = await fetch(sessionUrl, {

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const response = await fetch(pollUrl)

Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.

`  ${pc.green(pc.dim("➜"))}  ${pc.bold(pc.dim("Local:"))}      ${pc.cyan(`http://localhost:${port}/mcp`)}`,

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const response = await fetch(bundleUrl, { method: "HEAD" })

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const response = await fetch(bundleUrl)

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

await fetch(ANALYTICS_ENDPOINT, {

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

return env.MCP_SESSION.get(id).fetch(request)

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

await fetch(ANALYTICS_ENDPOINT, {

Dynamic imports with variable URLs can load malicious code at runtime.

return (await import(packageName)) as T

Dynamic imports with variable URLs can load malicious code at runtime.

return (await import(packageName)) as T

Dynamic imports with variable URLs can load malicious code at runtime.

return (await import(pathToFileURL(resolvedPath).href)) as T

An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.

return createServer({

An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.

this.server = await createServer({ config, session, env: this.env })

An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.

const server = await createServer(context)

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

existingConfig = JSON.parse(fs.readFileSync(configPath, "utf8"))

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

fs.writeFileSync(configPath, JSON.stringify(finalConfig, null, 2))

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

fs.mkdirSync(configDir, { recursive: true })

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

content = fs.readFileSync(configPath, "utf8")

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

fs.writeFileSync(configPath, stringifyJsonc(existingConfig, null, 2))

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

fs.mkdirSync(configDir, { recursive: true })

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

const originalContent = fs.readFileSync(configPath, "utf8")

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

fs.writeFileSync(configPath, originalDoc.toString())

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

fs.writeFileSync(configPath, yamlContent)

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

await fs.mkdir(path, { recursive: true })

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

await fs.writeFile(settingsPath, JSON.stringify(settings, null, 2))

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

const content = await fs.readFile(settingsPath, "utf-8")

Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.

if (process.env.SMITHERY_API_KEY) {

Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.

return process.env.SMITHERY_API_KEY