mcp-oauth

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] This skill is functionally coherent with its stated purpose (an OAuth test/client flow for MCP servers). I do not see outright malicious intent in the provided instructions. However there are several security concerns: sensitive data (authorization code/state/tokens) are written to /tmp without guidance on secure permissions, a local HTTP server is launched (attack surface), and the tool will perform network calls to arbitrary endpoints supplied by the user — making phishing or token capture possible if the user points it at a malicious server. The behavior of the referenced scripts (scripts/pkce.js and scripts/callback_server.js) is not shown and represents the main unknown risk. Recommend auditing those scripts, avoiding world-readable /tmp files, and using private loopback-only bindings and secure file permissions. Treat this as a medium-risk utility that is benign in intent but requires code review and operational hardening before use. LLM verification: Functionally coherent with a generic OAuth 2.1 client for MCP servers; capabilities align with stated purpose. Main security concerns are: temporary storage of sensitive tokens/codes in /tmp (possible local exposure), and the inherent risk of sending credentials/tokens to arbitrary MCP servers discovered from user-provided URLs (expected for this tool but dangerous if the endpoint is malicious). No evidence of obfuscated or intentionally malicious behavior in the provided instructions or flagged