cloudflare-mcp-server

skills-sh:jezweb_claude-skills__cloudflare-mcp-server

View source

75/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

75/100

CRITICAL 1

LOW 14

Findings (15)

CRITICAL

Hidden tool registration MCP_005

mcp-attack L1180

Detects dynamic tool registration patterns that could inject malicious tools

Dynamically add tool

FIX

Remove or restrict the tool's ability to run arbitrary code. Implement sandboxing, input validation, and output filtering. Require user confirmation for any code execution.

FP?

Likely FP if the tool is a code execution sandbox (e.g., REPL, notebook) that is explicitly designed for this purpose with documented security boundaries.

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L107

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://my-mcp.YOUR_ACCOUNT.workers.dev/sse"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L219

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://my-mcp.workers.dev/sse"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L228

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://my-mcp.workers.dev"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L232

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://my-mcp.workers.dev/"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L291

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://my-mcp.workers.dev"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L347

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://my-mcp.YOUR_ACCOUNT.workers.dev/sse"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L1661

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://worker.dev/sse"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L1667

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://worker.dev"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L1807

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://my-mcp.YOUR_ACCOUNT.workers.dev/sse"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L1828

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://my-mcp.YOUR_ACCOUNT.workers.dev/sse"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L2464

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://worker.dev/sse"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L2477

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://worker.dev/sse"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L2493

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://worker.dev/sse"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L2794

Detects MCP server configurations connecting to non-localhost remote URLs

"url"
:
"https://mcp.workers.dev/sse"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).