Back to skill

Security audit

Sefaria MCP Server

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Sefaria lookup MCP server with no evidence of hidden local access, persistence, credential handling, or destructive behavior.

Install it if you are comfortable running a Node MCP server that sends your text references and search queries to Sefaria's public API. For stricter supply-chain control, prefer installs that honor the lockfile or review dependency updates before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Unpinned Dependencies

Low
Category
Supply Chain
Content
"url": "git+https://github.com/abeperl/sefaria-mcp-server.git"
  },
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.29.0",
    "zod": "^4.4.3"
  },
  "devDependencies": {
Confidence
89% confidence
Finding
"@modelcontextprotocol/sdk": "^1.29.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.29.0",
    "zod": "^4.4.3"
  },
  "devDependencies": {
    "@types/node": "^22.19.13",
Confidence
89% confidence
Finding
"zod": "^4.4.3"

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.