CanopiiCanopiiAll serversEnterprise →

airas MCP Server Security Report

io.github.airas-org/airas

Automated AI research toolkit: hypothesis generation, experiments, and paper writing

Security Trust Score
Grade B · Moderate posture
Tier 1 · Public sourceHigh confidence · 92%latest v0.3.1 Repository
Declared MCP capabilities
ResourcesPrompts

Host io.github.airas-org/airas in a governed environment — SSO in front, every tool call attributed and audited.

Reputation29stars1forks24open issuestodaylast commit1yage

Security controlslatest scored version v0.3.1

Each control is evaluated deterministically with evidence. The score is earned from passing controls; a failed guard caps it.

Model–MCP Runtime Guardrails

  • Warn
    Strict JSON Schema Enforcementschemas not strict

    Tool inputs are constrained (additionalProperties:false), so unexpected arguments can't be smuggled in.

    Fix: Set additionalProperties:false and require explicit parameters on every tool.

  • Pass
    Indirect Prompt Injection (IPI) Defensesguardno injection markers

    Tool/prompt/resource text is free of hidden instructions that could hijack the agent.

  • Pass
    User-in-the-Loop / Approval Scopeguardno destructive tool scope

    No over-broad or destructive tools (arbitrary shell, bulk-delete) that warrant human approval.

  • N/A
    Tool Definition Stabilityguardno prior version to diff

    Tool definitions did not change after publish — no post-approval rug-pull.

Application Security Checks

  • Warn
    No path traversalguard17 occurrences

    Naive path checks let tools read/write outside intended directories (EscapeRoute-class).

    frontend/src/components/app-layout.tsx:51frontend/src/components/app-layout.tsx:52frontend/src/components/app-layout.tsx:53frontend/src/components/app-layout.tsx:54

    Fix: Resolve to a canonical path and verify containment; reject ../ and symlinks.

  • Warn
    No known-vulnerable dependencies46 of 498 runtime deps vulnerable; worst critical

    Runtime dependencies (parsed from the lockfile) are scanned against OSV.dev for published CVEs. Advisory: flagged dependencies lower the score but don't hard-cap it, since transitive reachability is unproven.

    [email protected] — GHSA-2fqr-mr3j-6wp8[email protected] — GHSA-2vrm-gr82-f7m5[email protected] — GHSA-3wq7-rqq7-wx6j[email protected] — GHSA-4fvr-rgm6-gqmc

    Fix: Upgrade the flagged dependencies past their fixed versions.

  • Warn
    Established maintainerrecently published

    Brand-new / single anonymous maintainers raise takeover and malware risk.

    Fix: Publish under an established account/org; add multiple maintainers.

  • Warn
    Has a security policyno security policy

    A SECURITY.md gives a private path to report vulnerabilities.

    Fix: Add SECURITY.md with a disclosure contact and process.

  • Pass
    No command-injection sinksguardno sinks found

    Untrusted tool input reaching a shell yields remote code execution.

  • Pass
    No dynamic code executionguardno sinks found

    eval()/exec()/Function() on tool-derived strings allows arbitrary code execution.

  • Pass
    No SSRF sinksguardno sinks found

    Fetching tool-supplied URLs can pivot into internal networks and metadata services.

  • Pass
    No unsafe deserializationguardno sinks found

    pickle/yaml.load/etc. on untrusted data can execute code.

  • Pass
    No committed secretsguardno secrets found

    Hardcoded keys/tokens in published source are live credentials an attacker can use.

  • Pass
    Credentials sourced from environmentreads credentials from environment

    Reading secrets from env/secret stores avoids hardcoding them.

  • Pass
    Dependencies pinned (lockfile)lockfile present

    A lockfile makes installs reproducible and resistant to silent dependency swaps.

  • Pass
    Package name not typosquattingguarddistinct package name

    Names mimicking popular packages are a common malware delivery vector.

  • Pass
    Actively maintainedrecent commits

    Unmaintained servers don't receive security fixes.

  • Pass
    Repository not archivedguardactive

    Archived repositories will never be patched.

  • Pass
    Declares a licenseMIT

    A clear license is required for legal enterprise use.

  • Pass
    Adoption & popularityestablished adoption

    A small, capped nudge from stars/downloads — widely-used servers get more eyes on bugs. It can never offset a real security failure.

  • Not checked
    No install/post-install scriptsguardnot determinable from PyPI metadata

    install hooks run arbitrary code on every consumer at install time.

  • Not checked
    Published with provenancenot determinable

    Build provenance attests the artifact was built from the claimed source by CI.

  • Not checked
    Signed releasesnot evaluated

    Signed releases let consumers verify artifacts weren't tampered with.

Transport & Trust Model

  • Warn
    Network Exposurebinds 0.0.0.0

    Binding 0.0.0.0 or exposing debug inspectors widens the attack surface.

    Fix: Bind to 127.0.0.1 by default; never ship open debug endpoints.

  • Pass
    Execution Sandboxingcontainerized

    A container/sandbox image limits blast radius; a server that runs natively has full host access.

  • N/A
    Transport Encryption (TLS)guardno remote endpoints

    Plaintext HTTP exposes traffic and bearer tokens to interception.

  • N/A
    IAM / Authentication Scopingno remote endpoints

    OAuth 2.1 / Protected Resource Metadata gates who can invoke tools.

  • N/A
    Live Endpoint Reachablenot dynamically scanned

    A dynamic scan connected to the declared remote endpoint and it responded — verified live, not a dead URL.

  • N/A
    Authentication Enforced (live)not dynamically scanned

    If the server declares auth is required, it must actually reject anonymous clients. Serving tools to unauthenticated callers is a real exposure.

Embed this score

Add the live badge to your README — it updates automatically on every rescan.

Canopii Trust Score badge preview
markdown[![Canopii Trust Score](https://index.canopii.dev/api/badge/io.github.airas-org/airas)](https://index.canopii.dev/server/io.github.airas-org/airas)
html<a href="https://index.canopii.dev/server/io.github.airas-org/airas"><img src="https://index.canopii.dev/api/badge/io.github.airas-org/airas" alt="Canopii Trust Score" /></a>

Versions

VersionScoreStatus
v0.3.1latest87Bscored