CanopiiCanopiiAll serversEnterprise →
io.github.iowarp/scientific-catalog-mcp

io.github.iowarp/scientific-catalog-mcp v1.0.0

Security Trust Score
Grade F · Serious issues
Tier 1 · Public sourceHigh confidence · 92%
Declared MCP capabilities

This server scored F. Run it behind runtime policy enforcement so one bad tool call can't become an incident.

1 issue capping this score
  • criticalNo dynamic code execution1 occurrence
Reputation25stars25forks23open issuestodaylast commit1yage

Security controls

Deterministic, evidence-backed. Score earned from passing controls; a failed guard caps it.

Model–MCP Runtime Guardrails

  • Warn
    Strict JSON Schema Enforcementschemas not strict

    Tool inputs are constrained (additionalProperties:false), so unexpected arguments can't be smuggled in.

    Fix: Set additionalProperties:false and require explicit parameters on every tool.

  • Pass
    Indirect Prompt Injection (IPI) Defensesguardno injection markers

    Tool/prompt/resource text is free of hidden instructions that could hijack the agent.

  • Pass
    User-in-the-Loop / Approval Scopeguardno destructive tool scope

    No over-broad or destructive tools (arbitrary shell, bulk-delete) that warrant human approval.

  • N/A
    Tool Definition Stabilityguardno prior version to diff

    Tool definitions did not change after publish — no post-approval rug-pull.

Application Security Checks

  • Fail
    No dynamic code executionguard1 occurrence

    eval()/exec()/Function() on tool-derived strings allows arbitrary code execution.

    clio-kit-mcp-servers/hdf5/src/hdf5_mcp/server.py:909

    Fix: Remove eval/exec; parse and dispatch explicitly.

  • Warn
    No known-vulnerable dependencies3 of 317 runtime deps vulnerable; worst high

    Runtime dependencies (parsed from the lockfile) are scanned against OSV.dev for published CVEs. Advisory: flagged dependencies lower the score but don't hard-cap it, since transitive reachability is unproven.

    [email protected] — PYSEC-2026-3447[email protected] — GHSA-rrmf-rvhw-rf47[email protected] — PYSEC-2026-139[email protected] — GHSA-29pf-2h5f-8g72

    Fix: Upgrade the flagged dependencies past their fixed versions.

  • Warn
    Established maintainerrecently published

    Brand-new / single anonymous maintainers raise takeover and malware risk.

    Fix: Publish under an established account/org; add multiple maintainers.

  • Warn
    Has a security policyno security policy

    A SECURITY.md gives a private path to report vulnerabilities.

    Fix: Add SECURITY.md with a disclosure contact and process.

  • Pass
    No command-injection sinksguardno sinks found

    Untrusted tool input reaching a shell yields remote code execution.

  • Pass
    No path traversalguardno sinks found

    Naive path checks let tools read/write outside intended directories (EscapeRoute-class).

  • Pass
    No SSRF sinksguardno sinks found

    Fetching tool-supplied URLs can pivot into internal networks and metadata services.

  • Pass
    No unsafe deserializationguardno sinks found

    pickle/yaml.load/etc. on untrusted data can execute code.

  • Pass
    No committed secretsguardno secrets found

    Hardcoded keys/tokens in published source are live credentials an attacker can use.

  • Pass
    Credentials sourced from environmentreads credentials from environment

    Reading secrets from env/secret stores avoids hardcoding them.

  • Pass
    Dependencies pinned (lockfile)lockfile present

    A lockfile makes installs reproducible and resistant to silent dependency swaps.

  • Pass
    Package name not typosquattingguarddistinct package name

    Names mimicking popular packages are a common malware delivery vector.

  • Pass
    Actively maintainedrecent commits

    Unmaintained servers don't receive security fixes.

  • Pass
    Repository not archivedguardactive

    Archived repositories will never be patched.

  • Pass
    Declares a licenseBSD-3-Clause

    A clear license is required for legal enterprise use.

  • Pass
    Adoption & popularityestablished adoption

    A small, capped nudge from stars/downloads — widely-used servers get more eyes on bugs. It can never offset a real security failure.

  • Not checked
    No install/post-install scriptsguardnot determinable from PyPI metadata

    install hooks run arbitrary code on every consumer at install time.

  • Not checked
    Published with provenancenot determinable

    Build provenance attests the artifact was built from the claimed source by CI.

  • Not checked
    Signed releasesnot evaluated

    Signed releases let consumers verify artifacts weren't tampered with.

Transport & Trust Model

  • Warn
    Execution Sandboxingruns natively (no container image)

    A container/sandbox image limits blast radius; a server that runs natively has full host access.

    Fix: Ship a Dockerfile/Containerfile (or document a sandboxed run) so the server runs isolated.

  • Warn
    Network Exposurebinds 0.0.0.0

    Binding 0.0.0.0 or exposing debug inspectors widens the attack surface.

    Fix: Bind to 127.0.0.1 by default; never ship open debug endpoints.

  • N/A
    Transport Encryption (TLS)guardno remote endpoints

    Plaintext HTTP exposes traffic and bearer tokens to interception.

  • N/A
    IAM / Authentication Scopingno remote endpoints

    OAuth 2.1 / Protected Resource Metadata gates who can invoke tools.

  • N/A
    Live Endpoint Reachablenot dynamically scanned

    A dynamic scan connected to the declared remote endpoint and it responded — verified live, not a dead URL.

  • N/A
    Authentication Enforced (live)not dynamically scanned

    If the server declares auth is required, it must actually reject anonymous clients. Serving tools to unauthenticated callers is a real exposure.

Tools (80)

jm_cdmy_tooljm_add_repojm_get_reposimple_toolcomplex_toolexample_toolfeature_tooljm_graph_showjm_list_reposlist_bp5_tooltool_functionjm_graph_buildjm_load_configjm_remove_repojm_save_configstop_chronologappend_pkg_tooljm_graph_modifyjm_promote_repojm_set_hostfilestart_chronologget_pdf_url_tooljm_construct_pkgjm_create_configmodule_list_toolmodule_load_toolmodule_save_toolmodule_show_toolmodule_swap_toolget_cpu_info_tooljm_bootstrap_fromjm_bootstrap_listjm_list_pipelinesmodule_avail_toolrun_pipeline_toolsearch_arxiv_toolcompress_file_toolconfigure_pkg_toolload_pipeline_toolmodule_spider_toolmodule_unload_toolrecord_interactionget_pkg_config_toolmodule_restore_toolcreate_pipeline_tooldecompress_file_toolexport_pipeline_toolget_job_summary_toolmodule_savelist_toolretrieve_interactionsearch_by_title_toolupdate_pipeline_tooldestroy_pipeline_toolexport_to_bibtex_toolload_darshan_log_toolget_paper_details_toolget_recent_papers_toolinspect_variables_toolrefresh_hdf5_resourcessearch_by_subject_toolsearch_date_range_toolbuild_pipeline_env_tooldownload_paper_pdf_toolinspect_attributes_toolsearch_by_abstract_toolfind_similar_papers_toolcompare_darshan_logs_toollist_available_hdf5_filesget_timeline_analysis_toolread_variable_at_step_tooldownload_multiple_pdfs_toolidentify_io_bottlenecks_toolsearch_papers_by_author_toolanalyze_mpiio_operations_toolanalyze_posix_operations_toolinspect_variables_at_step_toolgenerate_io_summary_report_toolget_io_performance_metrics_toolanalyze_file_access_patterns_tool