io.github.michalbaturko-lang/voiceflip v3.0.2
This server scored D. Run it behind runtime policy enforcement so one bad tool call can't become an incident.
Security controls
Deterministic, evidence-backed. Score earned from passing controls; a failed guard caps it.
Security controls
Deterministic, evidence-backed. Score earned from passing controls; a failed guard caps it.
Model–MCP Runtime Guardrails
- PassIndirect Prompt Injection (IPI) Defensesguardno injection markers
Tool/prompt/resource text is free of hidden instructions that could hijack the agent.
- PassTool Definition Stabilityguardtool definitions stable
Tool definitions did not change after publish — no post-approval rug-pull.
- PassUser-in-the-Loop / Approval Scopeguardno destructive tool scope
No over-broad or destructive tools (arbitrary shell, bulk-delete) that warrant human approval.
- Not checkedStrict JSON Schema Enforcementno source files
Tool inputs are constrained (additionalProperties:false), so unexpected arguments can't be smuggled in.
Application Security Checks
- Not checkedNo command-injection sinksguardno source
Untrusted tool input reaching a shell yields remote code execution.
- Not checkedNo dynamic code executionguardno source
eval()/exec()/Function() on tool-derived strings allows arbitrary code execution.
- Not checkedNo path traversalguardno source
Naive path checks let tools read/write outside intended directories (EscapeRoute-class).
- Not checkedNo SSRF sinksguardno source
Fetching tool-supplied URLs can pivot into internal networks and metadata services.
- Not checkedNo unsafe deserializationguardno source
pickle/yaml.load/etc. on untrusted data can execute code.
- Not checkedNo committed secretsguardno source
Hardcoded keys/tokens in published source are live credentials an attacker can use.
- Not checkedCredentials sourced from environmentno source files
Reading secrets from env/secret stores avoids hardcoding them.
- Not checkedDependencies pinned (lockfile)no source files
A lockfile makes installs reproducible and resistant to silent dependency swaps.
- Not checkedActively maintainedGitHub API unavailable
Unmaintained servers don't receive security fixes.
- Not checkedRepository not archivedguardGitHub API unavailable
Archived repositories will never be patched.
- Not checkedDeclares a licenseGitHub API unavailable
A clear license is required for legal enterprise use.
- Not checkedHas a security policyno source files
A SECURITY.md gives a private path to report vulnerabilities.
- Not checkedSigned releasesnot evaluated
Signed releases let consumers verify artifacts weren't tampered with.
- Not checkedAdoption & popularityno adoption signal
A small, capped nudge from stars/downloads — widely-used servers get more eyes on bugs. It can never offset a real security failure.
- N/ANo known-vulnerable dependenciesno dependencies to scan
Runtime dependencies (parsed from the lockfile) are scanned against OSV.dev for published CVEs. Advisory: flagged dependencies lower the score but don't hard-cap it, since transitive reachability is unproven.
- N/ANo install/post-install scriptsguardno published package
install hooks run arbitrary code on every consumer at install time.
- N/APackage name not typosquattingguardno published package
Names mimicking popular packages are a common malware delivery vector.
- N/APublished with provenanceno published package
Build provenance attests the artifact was built from the claimed source by CI.
- N/AEstablished maintainerno published package
Brand-new / single anonymous maintainers raise takeover and malware risk.
Transport & Trust Model
- WarnIAM / Authentication Scopingno authentication handling detected
OAuth 2.1 / Protected Resource Metadata gates who can invoke tools.
Fix: Implement OAuth 2.1 with a .well-known/oauth-protected-resource document.
- PassTransport Encryption (TLS)guardall remotes use HTTPS
Plaintext HTTP exposes traffic and bearer tokens to interception.
- PassLive Endpoint Reachablelive endpoint responded
A dynamic scan connected to the declared remote endpoint and it responded — verified live, not a dead URL.
- Not checkedExecution Sandboxingno source files
A container/sandbox image limits blast radius; a server that runs natively has full host access.
- Not checkedNetwork Exposureno source files
Binding 0.0.0.0 or exposing debug inspectors widens the attack surface.
- N/AAuthentication Enforced (live)no declared auth to verify
If the server declares auth is required, it must actually reject anonymous clients. Serving tools to unauthenticated callers is a real exposure.