WWhoisDomain WHOIS queries and AI-driven domain recommendations.

mcp-so:whois_HopeDomain

View source

100/100

First Seen

Feb 19, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 3

Findings (3)

LOW

npx MCP server without version pin MCPCFG_001

mcp-config L67

Detects MCP server configs using npx to run packages without version pinning

"command"
:
"npx"

FIX

Pin the npx package in the MCP config to an exact version (e.g., @scope/server@1.2.3). Unpinned npx commands can silently fetch a compromised package version.

FP?

Likely FP if the MCP config is a local development setup example, though unpinned npx in production configs is a real supply chain risk.

LOW

Hardcoded secrets in MCP env block MCPCFG_003

mcp-config L77

Detects hardcoded API keys, tokens, or passwords in MCP server environment configuration

"env"
:
{ + "HOPE_DOMAIN_API_KEY"
:
"sk-your_api_key_here"

FIX

Remove shell metacharacters (semicolons, pipes, ampersands, backticks) from MCP server arguments. Use explicit argument arrays and avoid shell expansion in MCP configurations.

FP?

Likely FP if the metacharacter is a literal part of a non-shell argument (e.g., a regex pattern or a URL query parameter containing ampersands).

LOW

npx MCP server without version pin MCPCFG_001

mcp-config L110

Detects MCP server configs using npx to run packages without version pinning

"command": "npx"

FIX

Pin the npx package in the MCP config to an exact version (e.g., @scope/server@1.2.3). Unpinned npx commands can silently fetch a compromised package version.

FP?

Likely FP if the MCP config is a local development setup example, though unpinned npx in production configs is a real supply chain risk.