This repository may not be an MCP server

We could not detect MCP SDK imports or tool registrations.

squad-mcp

the-basilisk-ai/squad-mcp

235 files · 9 findings

Share GitHub SARIF JSON

6 high3 medium

Tool Poisoningclean

Command Injectionclean

Path Traversal2 issues

SSRF5 issues

Credential Theftclean

Excessive Permissionsclean

Missing Authclean

Supply Chain

SSRF5

Request to localhost or loopback address

high

Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.

index.ts:24

const BASE_URI = process.env.BASE_URI || `http://localhost:${PORT}`;

How to fix

Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.

Supply Chain2

Install scripts in package.json

high

preinstall and postinstall scripts in package.json execute automatically during npm install and can run malicious code.

package.json:9

"postinstall": "echo '// no-op: server uses SWC' > node_modules/typescript/bin/tsc",

How to fix

Remove preinstall/postinstall scripts or audit their content. Use prepare scripts for build steps only.

Path Traversal2

fs operations without path sanitization

medium

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

scripts/openapi-client-esm-fix.ts:7

const content = fs.readFileSync(file, "utf8");

How to fix

Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.

HTTP request with unvalidated URL parameter

high

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

openapi/squad.json:7227

"description": "Bad request (e.g., missing body or invalid parameters)"

How to fix

Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.

HTTP request with unvalidated URL parameter

high

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

openapi/squad.json:7293

"description": "Bad request (e.g., missing body or invalid parameters)"

How to fix

Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.

HTTP request with unvalidated URL parameter

high

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

openapi/squad.json:7369

"description": "Bad request (e.g., missing body or invalid parameters)"

How to fix

Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.

HTTP request with unvalidated URL parameter

high

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

openapi/squad.json:7455

"description": "Bad request (e.g., missing body or invalid parameters)"

How to fix

Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.

Typosquatting-susceptible dependency name

medium

Package names that are common misspellings of popular packages may be typosquatting attacks.

package.json:63

"axios": "^1.13.5",

How to fix

Verify package names against the official registry. Use lockfiles and integrity hashes.