CanopiiCanopiiAll serversEnterprise →
io.github.lonniev/taxsort-mcp

io.github.lonniev/taxsort-mcp v0.29.2

Security Trust Score
Grade F · Serious issues
Tier 1 · Public sourceHigh confidence · 98%
Declared MCP capabilities
ResourcesPrompts

This server scored F. Run it behind runtime policy enforcement so one bad tool call can't become an incident.

2 issues capping this score
  • highTool descriptions free of injection markers2 marker(s) across 2 tool(s)
  • mediumNo over-broad / destructive tools3 over-broad tool(s)
Reputation0stars0forks0open issuestodaylast commit<1yage

Security controls

Deterministic, evidence-backed. Score earned from passing controls; a failed guard caps it.

Model–MCP Runtime Guardrails

  • Fail
    Indirect Prompt Injection (IPI) Defensesguard2 marker(s) across 2 tool(s)

    Tool/prompt/resource text is free of hidden instructions that could hijack the agent.

    taxsort_request_credential_channel — exfiltration directivetaxsort_receive_credentials — exfiltration directive

    Fix: Remove hidden directives, HTML/comment instructions, and override phrasing from descriptions.

  • Fail
    User-in-the-Loop / Approval Scopeguard3 over-broad tool(s)

    No over-broad or destructive tools (arbitrary shell, bulk-delete) that warrant human approval.

    taxsort_clear_transactionstaxsort_delete_account_transactionstaxsort_reset_classifications

    Fix: Scope tools narrowly; avoid arbitrary command execution and destructive defaults.

  • Warn
    Strict JSON Schema Enforcementschemas not strict

    Tool inputs are constrained (additionalProperties:false), so unexpected arguments can't be smuggled in.

    Fix: Set additionalProperties:false and require explicit parameters on every tool.

  • N/A
    Tool Definition Stabilityguardno prior version to diff

    Tool definitions did not change after publish — no post-approval rug-pull.

Application Security Checks

  • Warn
    No path traversalguard4 occurrences

    Naive path checks let tools read/write outside intended directories (EscapeRoute-class).

    frontend/src/App.tsx:153frontend/src/App.tsx:194frontend/src/components/FeedbackPage.tsx:178frontend/src/hooks/useMCP.ts:14

    Fix: Resolve to a canonical path and verify containment; reject ../ and symlinks.

  • Warn
    Credentials sourced from environmentno env-based config detected

    Reading secrets from env/secret stores avoids hardcoding them.

    Fix: Read credentials from environment variables or a secret manager.

  • Warn
    No known-vulnerable dependencies19 of 369 runtime deps vulnerable; worst high

    Runtime dependencies (parsed from the lockfile) are scanned against OSV.dev for published CVEs. Advisory: flagged dependencies lower the score but don't hard-cap it, since transitive reachability is unproven.

    @anthropic-ai/[email protected] — GHSA-p7fg-763f-g4gf@hono/[email protected] — GHSA-92pp-h63x-v22m[email protected] — GHSA-q3j6-qgpj-74h6[email protected] — GHSA-v39h-62p7-jpjc

    Fix: Upgrade the flagged dependencies past their fixed versions.

  • Warn
    Has a security policyno security policy

    A SECURITY.md gives a private path to report vulnerabilities.

    Fix: Add SECURITY.md with a disclosure contact and process.

  • Warn
    Adoption & popularitylimited adoption

    A small, capped nudge from stars/downloads — widely-used servers get more eyes on bugs. It can never offset a real security failure.

    Fix: Adoption grows naturally with real-world use; this never gates the score.

  • Pass
    No command-injection sinksguardno sinks found

    Untrusted tool input reaching a shell yields remote code execution.

  • Pass
    No dynamic code executionguardno sinks found

    eval()/exec()/Function() on tool-derived strings allows arbitrary code execution.

  • Pass
    No SSRF sinksguardno sinks found

    Fetching tool-supplied URLs can pivot into internal networks and metadata services.

  • Pass
    No unsafe deserializationguardno sinks found

    pickle/yaml.load/etc. on untrusted data can execute code.

  • Pass
    No committed secretsguardno secrets found

    Hardcoded keys/tokens in published source are live credentials an attacker can use.

  • Pass
    Dependencies pinned (lockfile)lockfile present

    A lockfile makes installs reproducible and resistant to silent dependency swaps.

  • Pass
    Actively maintainedrecent commits

    Unmaintained servers don't receive security fixes.

  • Pass
    Repository not archivedguardactive

    Archived repositories will never be patched.

  • Pass
    Declares a licenseApache-2.0

    A clear license is required for legal enterprise use.

  • Not checked
    Signed releasesnot evaluated

    Signed releases let consumers verify artifacts weren't tampered with.

  • N/A
    No install/post-install scriptsguardno published package

    install hooks run arbitrary code on every consumer at install time.

  • N/A
    Package name not typosquattingguardno published package

    Names mimicking popular packages are a common malware delivery vector.

  • N/A
    Published with provenanceno published package

    Build provenance attests the artifact was built from the claimed source by CI.

  • N/A
    Established maintainerno published package

    Brand-new / single anonymous maintainers raise takeover and malware risk.

Transport & Trust Model

  • Warn
    Execution Sandboxingruns natively (no container image)

    A container/sandbox image limits blast radius; a server that runs natively has full host access.

    Fix: Ship a Dockerfile/Containerfile (or document a sandboxed run) so the server runs isolated.

  • Pass
    Transport Encryption (TLS)guardall remotes use HTTPS

    Plaintext HTTP exposes traffic and bearer tokens to interception.

  • Pass
    IAM / Authentication ScopingOAuth / PRM handling detected

    OAuth 2.1 / Protected Resource Metadata gates who can invoke tools.

  • Pass
    Network Exposureno bind-all detected

    Binding 0.0.0.0 or exposing debug inspectors widens the attack surface.

  • N/A
    Live Endpoint Reachablenot dynamically scanned

    A dynamic scan connected to the declared remote endpoint and it responded — verified live, not a dead URL.

  • N/A
    Authentication Enforced (live)not dynamically scanned

    If the server declares auth is required, it must actually reject anonymous clients. Serving tools to unauthenticated callers is a real exposure.

Tools (84)

taxsort_get_rulestaxsort_save_ruletaxsort_import_csvtaxsort_apply_rulestaxsort_ask_advisortaxsort_check_pricetaxsort_delete_ruletaxsort_get_sessiontaxsort_get_summarytaxsort_mint_coupontaxsort_check_unlocktaxsort_get_accountstaxsort_list_couponstaxsort_oracle_abouttaxsort_check_balancetaxsort_check_paymenttaxsort_delete_coupontaxsort_forget_coupontaxsort_list_sessionstaxsort_redeem_coupontaxsort_update_coupontaxsort_create_sessiontaxsort_request_unlocktaxsort_service_statustaxsort_session_statustaxsort_adoption_statustaxsort_list_my_couponstaxsort_notarize_ledgertaxsort_restore_creditstaxsort_get_github_tokentaxsort_get_import_statstaxsort_get_transactionstaxsort_load_share_tokentaxsort_purchase_creditstaxsort_report_api_usagetaxsort_request_adoptiontaxsort_set_account_typetaxsort_account_statementtaxsort_get_anthropic_keytaxsort_get_nostr_profiletaxsort_get_pricing_modeltaxsort_session_heartbeattaxsort_set_pricing_modeltaxsort_verify_passphrasetaxsort_ask_tax_researchertaxsort_check_proof_statustaxsort_clear_transactionstaxsort_count_rule_matchestaxsort_create_share_tokentaxsort_forget_credentialstaxsort_list_notarizationstaxsort_oracle_how_to_jointaxsort_receive_npub_prooftaxsort_request_npub_prooftaxsort_get_api_usage_statstaxsort_oracle_get_tax_ratetaxsort_receive_credentialstaxsort_reset_pricing_modeltaxsort_restore_neon_schemataxsort_get_amount_neighborstaxsort_list_feedback_issuestaxsort_oracle_lookup_membertaxsort_save_classificationstaxsort_save_custom_categorytaxsort_create_feedback_issuetaxsort_delete_classificationtaxsort_get_custom_categoriestaxsort_list_constraint_typestaxsort_publish_nostr_profiletaxsort_reset_classificationstaxsort_delete_custom_categorytaxsort_get_notarization_prooftaxsort_get_transactions_pagedtaxsort_check_authority_balancetaxsort_oracle_network_advisorytaxsort_delete_patron_credentialtaxsort_update_patron_credentialtaxsort_list_canonical_identitiestaxsort_request_credential_channeltaxsort_delete_account_transactionstaxsort_get_patron_credential_fieldstaxsort_get_patron_onboarding_statustaxsort_account_statement_infographictaxsort_get_operator_onboarding_status