critical
suspicious.dangerous_exec
- Location
- tahcia-mcp.cjs:29895
- Finding
- Shell command execution detected (child_process).
- Evidence
const matches = RELATIVE_JSON_POINTER.exec($data);
Tahcia
AdvisoryAudited by Static analysis on May 15, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access
Findings (3)
critical
suspicious.dynamic_code_execution
- Location
- tahcia-mcp.cjs:30044
- Finding
- Dynamic code execution detected.
- Evidence
const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);
critical
suspicious.env_credential_access
- Location
- tahcia-mcp.cjs:34922
- Finding
- Environment variable access combined with network send.
- Evidence
if (!process.env.WS_NO_BUFFER_UTIL) {