Vvoxbuilder-mcp-local(Demo) MCP Server to create and draw .vox models file locally

mcp-so:voxbuilder-mcp-local_tobylai-toby

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 1

Findings (1)

LOW

npx auto-install without confirmation EXTDL_003

external-download L30

Detects npx with -y flag that bypasses user confirmation for package installation

npx
-y

FIX

Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.

FP?

Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.