CanopiiCanopiiAll serversEnterprise →
io.github.sassyconsultingllc/sassymcp

io.github.sassyconsultingllc/sassymcp v1.12.1

Security Trust Score
Grade F · Serious issues
Tier 1 · Public sourceHigh confidence · 92%
Declared MCP capabilities
ResourcesPrompts

This server scored F. Run it behind runtime policy enforcement so one bad tool call can't become an incident.

2 issues capping this score
  • criticalNo command-injection sinks1 occurrence
  • mediumNo over-broad / destructive tools2 over-broad tool(s)
Reputation4stars2forks1open issuestodaylast commit<1yage

Security controls

Deterministic, evidence-backed. Score earned from passing controls; a failed guard caps it.

Model–MCP Runtime Guardrails

  • Fail
    User-in-the-Loop / Approval Scopeguard2 over-broad tool(s)

    No over-broad or destructive tools (arbitrary shell, bulk-delete) that warrant human approval.

    sassy_combo_phone_observesassy_write_file

    Fix: Scope tools narrowly; avoid arbitrary command execution and destructive defaults.

  • Warn
    Strict JSON Schema Enforcementschemas not strict

    Tool inputs are constrained (additionalProperties:false), so unexpected arguments can't be smuggled in.

    Fix: Set additionalProperties:false and require explicit parameters on every tool.

  • Pass
    Indirect Prompt Injection (IPI) Defensesguardno injection markers

    Tool/prompt/resource text is free of hidden instructions that could hijack the agent.

  • N/A
    Tool Definition Stabilityguardno prior version to diff

    Tool definitions did not change after publish — no post-approval rug-pull.

Application Security Checks

  • Fail
    No command-injection sinksguard1 occurrence

    Untrusted tool input reaching a shell yields remote code execution.

    sassymcp/overlay/mesh.py:91

    Fix: Never pass tool arguments to a shell; use argv arrays with shell disabled.

  • Warn
    No path traversalguard2 occurrences

    Naive path checks let tools read/write outside intended directories (EscapeRoute-class).

    sassymcp-billing/src/index.js:237sassymcp-oauth/src/index.js:436

    Fix: Resolve to a canonical path and verify containment; reject ../ and symlinks.

  • Warn
    No SSRF sinksguard12 occurrences

    Fetching tool-supplied URLs can pivot into internal networks and metadata services.

    hermes_node.py:175hermes_node.py:224sassymcp/modules/updater.py:73sassymcp/modules/updater.py:196

    Fix: Allow-list destinations; reject arbitrary/loopback/link-local URLs.

  • Warn
    No known-vulnerable dependencies2 of 65 runtime deps vulnerable; worst medium

    Runtime dependencies (parsed from the lockfile) are scanned against OSV.dev for published CVEs. Advisory: flagged dependencies lower the score but don't hard-cap it, since transitive reachability is unproven.

    [email protected] — PYSEC-2026-2132[email protected] — PYSEC-2026-2253[email protected] — PYSEC-2026-2254[email protected] — PYSEC-2026-2255

    Fix: Upgrade the flagged dependencies past their fixed versions.

  • Warn
    Established maintainerrecently published

    Brand-new / single anonymous maintainers raise takeover and malware risk.

    Fix: Publish under an established account/org; add multiple maintainers.

  • Warn
    Has a security policyno security policy

    A SECURITY.md gives a private path to report vulnerabilities.

    Fix: Add SECURITY.md with a disclosure contact and process.

  • Warn
    Adoption & popularitylimited adoption

    A small, capped nudge from stars/downloads — widely-used servers get more eyes on bugs. It can never offset a real security failure.

    Fix: Adoption grows naturally with real-world use; this never gates the score.

  • Pass
    No dynamic code executionguardno sinks found

    eval()/exec()/Function() on tool-derived strings allows arbitrary code execution.

  • Pass
    No unsafe deserializationguardno sinks found

    pickle/yaml.load/etc. on untrusted data can execute code.

  • Pass
    No committed secretsguardno secrets found

    Hardcoded keys/tokens in published source are live credentials an attacker can use.

  • Pass
    Credentials sourced from environmentreads credentials from environment

    Reading secrets from env/secret stores avoids hardcoding them.

  • Pass
    Dependencies pinned (lockfile)lockfile present

    A lockfile makes installs reproducible and resistant to silent dependency swaps.

  • Pass
    Package name not typosquattingguarddistinct package name

    Names mimicking popular packages are a common malware delivery vector.

  • Pass
    Actively maintainedrecent commits

    Unmaintained servers don't receive security fixes.

  • Pass
    Repository not archivedguardactive

    Archived repositories will never be patched.

  • Pass
    Declares a licenseMIT

    A clear license is required for legal enterprise use.

  • Not checked
    No install/post-install scriptsguardnot determinable from PyPI metadata

    install hooks run arbitrary code on every consumer at install time.

  • Not checked
    Published with provenancenot determinable

    Build provenance attests the artifact was built from the claimed source by CI.

  • Not checked
    Signed releasesnot evaluated

    Signed releases let consumers verify artifacts weren't tampered with.

Transport & Trust Model

  • Warn
    Execution Sandboxingruns natively (no container image)

    A container/sandbox image limits blast radius; a server that runs natively has full host access.

    Fix: Ship a Dockerfile/Containerfile (or document a sandboxed run) so the server runs isolated.

  • Warn
    Network Exposurebinds 0.0.0.0

    Binding 0.0.0.0 or exposing debug inspectors widens the attack surface.

    Fix: Bind to 127.0.0.1 by default; never ship open debug endpoints.

  • N/A
    Transport Encryption (TLS)guardno remote endpoints

    Plaintext HTTP exposes traffic and bearer tokens to interception.

  • N/A
    IAM / Authentication Scopingno remote endpoints

    OAuth 2.1 / Protected Resource Metadata gates who can invoke tools.

  • N/A
    Live Endpoint Reachablenot dynamically scanned

    A dynamic scan connected to the declared remote endpoint and it responded — verified live, not a dead URL.

  • N/A
    Authentication Enforced (live)not dynamically scanned

    If the server declares auth is required, it must actually reject anonymous clients. Serving tools to unauthenticated callers is a real exposure.

Tools (80)

sassy_copysassy_movesassy_mkdirsassy_bt_scansassy_adb_pullsassy_adb_pushsassy_eventlogsassy_list_dirsassy_adb_shellsassy_audit_logsassy_file_infosassy_gh_get_mesassy_peer_listsassy_read_filesassy_adb_logcatsassy_bt_androidsassy_bt_devicessassy_edit_blocksassy_edit_multisassy_gh_get_tagsassy_launch_appsassy_launch_exesassy_write_filesassy_adb_devicessassy_adb_installsassy_audit_clearsassy_safe_deletesassy_snap_windowsassy_adb_app_infosassy_adb_packagessassy_audit_searchsassy_close_windowsassy_focus_windowsassy_gh_fork_reposassy_gh_get_teamssassy_gh_list_tagssassy_gh_star_reposassy_search_filessassy_adb_screencapsassy_clipboard_getsassy_clipboard_setsassy_gh_get_commitsassy_gh_push_filessassy_peer_announcesassy_peer_delegatesassy_read_multiplesassy_resize_windowsassy_setup_licensesassy_android_logcatsassy_crosslink_recvsassy_crosslink_sendsassy_crosslink_stopsassy_gh_create_filesassy_gh_create_reposassy_gh_delete_filesassy_gh_update_filesassy_gh_update_reposassy_combo_pr_reviewsassy_crosslink_startsassy_eventlog_searchsassy_gh_list_commitssassy_gh_list_starredsassy_gh_search_repossassy_adb_wifi_connectsassy_crosslink_statussassy_gh_create_branchsassy_gh_list_branchessassy_gh_list_releasessassy_coordination_boardsassy_crosslink_registersassy_combo_codebase_grepsassy_combo_phone_observesassy_crosslink_broadcastsassy_gh_get_team_memberssassy_clipboard_to_androidsassy_gh_get_file_contentssassy_audit_false_positivessassy_gh_get_latest_releasesassy_gh_get_release_by_tagsassy_clipboard_from_android