ZZhook Mcp ServerThe official Model Context Protocol (MCP) server for https://zhook.dev, enabling AI agents to interact with your Zhook webhooks, events, and metrics. Create Hooks: Create new webhooks or MQTT hooks directly from your agent. List Hooks: Retrieve a list of your configured webhooks. Inspect Events: View recent events for a specific hook. Wait for Event: Pause execution and wait for a specific event to occur. Metrics: Access detailed metrics about your webhook performance.
mcp-so:zhook-mcp-server_zhookteam
View sourceFirst Seen
Feb 18, 2026
Last Scanned
Feb 18, 2026
Findings
3
Score
67/100
Findings (3)
Text combines credential access with network transmission
Create Hooks: Create new webhooks or MQTT hooks directly from your agent.
List Hooks: Retrieve a list of your configured webhooks.
Inspect Events: View recent events for a specific hook.
Wait for Even...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Detects -y, --yes, or --auto-approve flags in MCP/skill install commands that bypass user confirmation
"-y"Remove the -y/--yes auto-confirm flag from MCP server launch arguments. This flag bypasses user confirmation prompts and allows unattended execution of potentially dangerous operations.
Likely FP if the matched text is an isolated flag (-y or --yes) in documentation describing command-line options, not in an actual MCP config.
Detects MCP server configs using npx to run packages without version pinning
"command": "npx"Pin the npx package in the MCP config to an exact version (e.g., @scope/server@1.2.3). Unpinned npx commands can silently fetch a compromised package version.
Likely FP if the MCP config is a local development setup example, though unpinned npx in production configs is a real supply chain risk.