Back to Dashboard
100

Common MCP Gateway - Aggregates multiple MCP servers with robust timeout and error handling

@bmsoft1024/common-mcp-gateway045 files scannedApril 17, 2026

High risk — review carefully before installing

This package can run commands on your computer AND reads your secret tokens. That combination means it could potentially steal your credentials. Only install this if you trust the author and understand why it needs these permissions.

What We Found(4 issues)

Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.

HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn, ChildProcess } from 'child_process'
src/gateway/connection-pool.ts:3
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

require('child_process'
test-client.js:2
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
test-client.js:4
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.GATEWAY_MANAGER_SECRET
gateway-manager/backend/src/server.ts:23

Finding Summary

0

Critical

4

High

0

Medium

0

Low

0

Info