dflow-mcp
ba1nch0d/dflow-mcpMCP Server for Prediction Market Metadata API - Access comprehensive prediction market data through 24 specialized tools
Some concerns found — review before installing
We found some patterns that are worth checking. They might be harmless, but it's good practice to understand what a package does before trusting it. Read through the findings below.
What We Found(2 issues)
Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.
Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.
Technical details
Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.
raw.githubusercontentFinding Summary
0
Critical
0
High
2
Medium
0
Low
0
Info