LLinkup Model Context ProtocolJavascript version of the Linkup MCP server.

mcp-so:js-mcp-server_LinkupPlatform

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 18, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

CLI credential flags CRED_015

credential-leak L30

Detects command-line flags passing credentials with real-looking values

--api-key
=
YOUR_LINKUP_API_KEY

FIX

Remove credential values from CLI flags (e.g., --password, --token). Use environment variables, config files with restricted permissions, or interactive prompts instead.

FP?

Likely FP if the CLI flag is shown in a help text example (e.g., --token YOUR_TOKEN) without an actual credential value.

LOW

npx auto-install without confirmation EXTDL_003

external-download L28

Detects npx with -y flag that bypasses user confirmation for package installation

npx
-y

FIX

Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.

FP?

Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.