Is Anilist MCP server safe?
anilist-mcp is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 3 risky constructs are reported for review. It can: install time execution and mcp tools detected — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).
anilist-mcp 1.4.0
- Dangerous MCP tool capability
- npm prepare hook
- MCP tool surface detected
No malicious indicators found by static analysis.
Findings (3)
An MCP tool exposes a powerful capability (files, shell, network, browser, or credentials).
"name": "get_user_activity",
Why it matters: Wired into an agent, these grant it real access to your machine — confirm each is required.
Fix: Confirm each powerful tool is required and constrained; broad MCP tools (shell/filesystem/network) grant an agent significant host access.
package.json has a 'prepare' script (runs on git/local installs and before publishing).
"prepare": "pnpm run build",
Why it matters: Usually a build step, but confirm it doesn't fetch or run remote code.
Fix: Usually a legitimate build step; confirm it only builds and does not fetch or execute remote code.
An MCP tool surface (manifest or tool definitions) was found.
"tools": [
Why it matters: Just context — review which tools it offers and their permissions.
Fix: Review the declared MCP tools and their permissions.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →