misterdev MCP Server Security Report
Autonomous LLM build orchestrator that plans, edits, and verifies code across languages.
This server scored F. Run it behind runtime policy enforcement so one bad tool call can't become an incident.
- criticalNo command-injection sinks — 21 occurrences
Security controlslatest scored version v0.4.1
Each control is evaluated deterministically with evidence. The score is earned from passing controls; a failed guard caps it.
Security controlslatest scored version v0.4.1
Each control is evaluated deterministically with evidence. The score is earned from passing controls; a failed guard caps it.
Model–MCP Runtime Guardrails
- WarnStrict JSON Schema Enforcementschemas not strict
Tool inputs are constrained (additionalProperties:false), so unexpected arguments can't be smuggled in.
Fix: Set additionalProperties:false and require explicit parameters on every tool.
- PassIndirect Prompt Injection (IPI) Defensesguardno injection markers
Tool/prompt/resource text is free of hidden instructions that could hijack the agent.
- PassUser-in-the-Loop / Approval Scopeguardno destructive tool scope
No over-broad or destructive tools (arbitrary shell, bulk-delete) that warrant human approval.
- N/ATool Definition Stabilityguardno prior version to diff
Tool definitions did not change after publish — no post-approval rug-pull.
Application Security Checks
- FailNo command-injection sinksguard21 occurrences
Untrusted tool input reaching a shell yields remote code execution.
evaluation/native/harness.py:135evaluation/polyglot/grader.py:50evaluation/polyglot/runner.py:76evaluation/swebench/grader.py:37Fix: Never pass tool arguments to a shell; use argv arrays with shell disabled.
- WarnAdoption & popularitylimited adoption
A small, capped nudge from stars/downloads — widely-used servers get more eyes on bugs. It can never offset a real security failure.
Fix: Adoption grows naturally with real-world use; this never gates the score.
- WarnNo SSRF sinksguard2 occurrences
Fetching tool-supplied URLs can pivot into internal networks and metadata services.
misterdev/core/economics/free_models.py:43misterdev/core/integration/mcp_registry.py:168Fix: Allow-list destinations; reject arbitrary/loopback/link-local URLs.
- WarnNo known-vulnerable dependencies2 of 107 runtime deps vulnerable; worst medium
Runtime dependencies (parsed from the lockfile) are scanned against OSV.dev for published CVEs. Advisory: flagged dependencies lower the score but don't hard-cap it, since transitive reachability is unproven.
[email protected] — PYSEC-2026-2253[email protected] — PYSEC-2026-2254[email protected] — PYSEC-2026-2255[email protected] — PYSEC-2026-2256Fix: Upgrade the flagged dependencies past their fixed versions.
- WarnEstablished maintainerrecently published
Brand-new / single anonymous maintainers raise takeover and malware risk.
Fix: Publish under an established account/org; add multiple maintainers.
- PassActively maintainedrecent commits
Unmaintained servers don't receive security fixes.
- PassRepository not archivedguardactive
Archived repositories will never be patched.
- PassDeclares a licenseAGPL-3.0
A clear license is required for legal enterprise use.
- PassHas a security policySECURITY.md present
A SECURITY.md gives a private path to report vulnerabilities.
- PassNo dynamic code executionguardno sinks found
eval()/exec()/Function() on tool-derived strings allows arbitrary code execution.
- PassNo path traversalguardno sinks found
Naive path checks let tools read/write outside intended directories (EscapeRoute-class).
- PassNo unsafe deserializationguardno sinks found
pickle/yaml.load/etc. on untrusted data can execute code.
- PassNo committed secretsguardno secrets found
Hardcoded keys/tokens in published source are live credentials an attacker can use.
- PassCredentials sourced from environmentreads credentials from environment
Reading secrets from env/secret stores avoids hardcoding them.
- PassDependencies pinned (lockfile)lockfile present
A lockfile makes installs reproducible and resistant to silent dependency swaps.
- PassPackage name not typosquattingguarddistinct package name
Names mimicking popular packages are a common malware delivery vector.
- Not checkedSigned releasesnot evaluated
Signed releases let consumers verify artifacts weren't tampered with.
- Not checkedNo install/post-install scriptsguardnot determinable from PyPI metadata
install hooks run arbitrary code on every consumer at install time.
- Not checkedPublished with provenancenot determinable
Build provenance attests the artifact was built from the claimed source by CI.
Transport & Trust Model
- PassNetwork Exposureno bind-all detected
Binding 0.0.0.0 or exposing debug inspectors widens the attack surface.
- PassExecution Sandboxingcontainerized
A container/sandbox image limits blast radius; a server that runs natively has full host access.
- N/AAuthentication Enforced (live)not dynamically scanned
If the server declares auth is required, it must actually reject anonymous clients. Serving tools to unauthenticated callers is a real exposure.
- N/ATransport Encryption (TLS)guardno remote endpoints
Plaintext HTTP exposes traffic and bearer tokens to interception.
- N/AIAM / Authentication Scopingno remote endpoints
OAuth 2.1 / Protected Resource Metadata gates who can invoke tools.
- N/ALive Endpoint Reachablenot dynamically scanned
A dynamic scan connected to the declared remote endpoint and it responded — verified live, not a dead URL.
Embed this score
Add the live badge to your README — it updates automatically on every rescan.
[](https://index.canopii.dev/server/io.github.dcondrey/misterdev)<a href="https://index.canopii.dev/server/io.github.dcondrey/misterdev"><img src="https://index.canopii.dev/api/badge/io.github.dcondrey/misterdev" alt="Canopii Trust Score" /></a>Versions
| Version | Score | Status | Published |
|---|---|---|---|
| v0.4.1latest | 16F | scored | 7/14/2026 |