Back to Dashboard
40

MCP server for Withings health data integration

withings-mcp042 files scannedApril 19, 2026

Some concerns found — review before installing

We found some patterns that are worth checking. They might be harmless, but it's good practice to understand what a package does before trusting it. Read through the findings below.

What We Found(2 issues)

Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.

MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
package.json:38
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/server/app.ts:176

Finding Summary

0

Critical

0

High

2

Medium

0

Low

0

Info