sassymcp MCP Server Security Report
One MCP server that replaces 75+ — 274 tools in a single exe, smart-loaded.
This server scored F. Run it behind runtime policy enforcement so one bad tool call can't become an incident.
- criticalNo command-injection sinks — 1 occurrence
- mediumNo over-broad / destructive tools — 2 over-broad tool(s)
Security controlslatest scored version v1.12.1
Each control is evaluated deterministically with evidence. The score is earned from passing controls; a failed guard caps it.
Security controlslatest scored version v1.12.1
Each control is evaluated deterministically with evidence. The score is earned from passing controls; a failed guard caps it.
Model–MCP Runtime Guardrails
- FailUser-in-the-Loop / Approval Scopeguard2 over-broad tool(s)
No over-broad or destructive tools (arbitrary shell, bulk-delete) that warrant human approval.
sassy_combo_phone_observesassy_write_fileFix: Scope tools narrowly; avoid arbitrary command execution and destructive defaults.
- WarnStrict JSON Schema Enforcementschemas not strict
Tool inputs are constrained (additionalProperties:false), so unexpected arguments can't be smuggled in.
Fix: Set additionalProperties:false and require explicit parameters on every tool.
- PassIndirect Prompt Injection (IPI) Defensesguardno injection markers
Tool/prompt/resource text is free of hidden instructions that could hijack the agent.
- N/ATool Definition Stabilityguardno prior version to diff
Tool definitions did not change after publish — no post-approval rug-pull.
Application Security Checks
- FailNo command-injection sinksguard1 occurrence
Untrusted tool input reaching a shell yields remote code execution.
sassymcp/overlay/mesh.py:91Fix: Never pass tool arguments to a shell; use argv arrays with shell disabled.
- WarnNo path traversalguard2 occurrences
Naive path checks let tools read/write outside intended directories (EscapeRoute-class).
sassymcp-billing/src/index.js:237sassymcp-oauth/src/index.js:436Fix: Resolve to a canonical path and verify containment; reject ../ and symlinks.
- WarnNo SSRF sinksguard12 occurrences
Fetching tool-supplied URLs can pivot into internal networks and metadata services.
hermes_node.py:175hermes_node.py:224sassymcp/modules/updater.py:73sassymcp/modules/updater.py:196Fix: Allow-list destinations; reject arbitrary/loopback/link-local URLs.
- WarnNo known-vulnerable dependencies2 of 65 runtime deps vulnerable; worst medium
Runtime dependencies (parsed from the lockfile) are scanned against OSV.dev for published CVEs. Advisory: flagged dependencies lower the score but don't hard-cap it, since transitive reachability is unproven.
[email protected] — PYSEC-2026-2132[email protected] — PYSEC-2026-2253[email protected] — PYSEC-2026-2254[email protected] — PYSEC-2026-2255Fix: Upgrade the flagged dependencies past their fixed versions.
- WarnEstablished maintainerrecently published
Brand-new / single anonymous maintainers raise takeover and malware risk.
Fix: Publish under an established account/org; add multiple maintainers.
- WarnHas a security policyno security policy
A SECURITY.md gives a private path to report vulnerabilities.
Fix: Add SECURITY.md with a disclosure contact and process.
- WarnAdoption & popularitylimited adoption
A small, capped nudge from stars/downloads — widely-used servers get more eyes on bugs. It can never offset a real security failure.
Fix: Adoption grows naturally with real-world use; this never gates the score.
- PassNo dynamic code executionguardno sinks found
eval()/exec()/Function() on tool-derived strings allows arbitrary code execution.
- PassNo unsafe deserializationguardno sinks found
pickle/yaml.load/etc. on untrusted data can execute code.
- PassNo committed secretsguardno secrets found
Hardcoded keys/tokens in published source are live credentials an attacker can use.
- PassCredentials sourced from environmentreads credentials from environment
Reading secrets from env/secret stores avoids hardcoding them.
- PassDependencies pinned (lockfile)lockfile present
A lockfile makes installs reproducible and resistant to silent dependency swaps.
- PassPackage name not typosquattingguarddistinct package name
Names mimicking popular packages are a common malware delivery vector.
- PassActively maintainedrecent commits
Unmaintained servers don't receive security fixes.
- PassRepository not archivedguardactive
Archived repositories will never be patched.
- PassDeclares a licenseMIT
A clear license is required for legal enterprise use.
- Not checkedNo install/post-install scriptsguardnot determinable from PyPI metadata
install hooks run arbitrary code on every consumer at install time.
- Not checkedPublished with provenancenot determinable
Build provenance attests the artifact was built from the claimed source by CI.
- Not checkedSigned releasesnot evaluated
Signed releases let consumers verify artifacts weren't tampered with.
Transport & Trust Model
- WarnExecution Sandboxingruns natively (no container image)
A container/sandbox image limits blast radius; a server that runs natively has full host access.
Fix: Ship a Dockerfile/Containerfile (or document a sandboxed run) so the server runs isolated.
- WarnNetwork Exposurebinds 0.0.0.0
Binding 0.0.0.0 or exposing debug inspectors widens the attack surface.
Fix: Bind to 127.0.0.1 by default; never ship open debug endpoints.
- N/ATransport Encryption (TLS)guardno remote endpoints
Plaintext HTTP exposes traffic and bearer tokens to interception.
- N/AIAM / Authentication Scopingno remote endpoints
OAuth 2.1 / Protected Resource Metadata gates who can invoke tools.
- N/ALive Endpoint Reachablenot dynamically scanned
A dynamic scan connected to the declared remote endpoint and it responded — verified live, not a dead URL.
- N/AAuthentication Enforced (live)not dynamically scanned
If the server declares auth is required, it must actually reject anonymous clients. Serving tools to unauthenticated callers is a real exposure.
Embed this score
Add the live badge to your README — it updates automatically on every rescan.
[](https://index.canopii.dev/server/io.github.sassyconsultingllc/sassymcp)<a href="https://index.canopii.dev/server/io.github.sassyconsultingllc/sassymcp"><img src="https://index.canopii.dev/api/badge/io.github.sassyconsultingllc/sassymcp" alt="Canopii Trust Score" /></a>Versions
| Version | Score | Status | Published |
|---|---|---|---|
| v1.12.1latest | 14F | scored | 7/15/2026 |