SkillTotal

Is Azure MCP Server safe?

@azure/mcp is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 3 risky constructs are reported for review. It can: install time execution and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 20/100 (low).

@azure/mcp 3.0.0-beta.20

npm_package · npm:@azure/mcp
LOW
20
/ 100 malicious-risk
Snapshot · scanned Jun 20, 2026 · @azure/mcp@3.0.0-beta.20 · engine 0.18.0 / ruleset 19
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Node.js shell/command execution
  • Possible command injection (exec with dynamic command)
  • npm install-time lifecycle hook

No malicious indicators found by static analysis.

Capabilities — what this component can do (not a risk score):
install time executionshell execution

Findings (3)

HIGHPossible command injection (exec with dynamic command)ST-CMDI-NODE

The code builds an OS command out of values that can change at runtime, then runs it through a shell.

index.js:49-49 
execSync(`npm install ${platformPackageName}@${packageVersion}`, {
index.js:58-58 
execSync(`npm install ${platformPackageName}@${packageVersion} --no-save --prefer-online`, {

Why it matters: If any of those values come from untrusted input, an attacker can run their own commands on the machine.

Fix: Use execFile/spawn with an argument array instead of exec; never build a shell command string from external input.

HIGHnpm install-time lifecycle hookST-INSTALL-NPM

package.json runs scripts automatically when the package is installed.

package.json:44-44 
"postinstall": "node ./scripts/post-install-script.js"

Why it matters: Install scripts are a favorite supply-chain foothold — they execute on every machine that installs the package.

Fix: Inspect the hook command. Install-time scripts are a common supply chain execution vector; ensure they do nothing beyond a documented build step.

HIGHNode.js shell/command executionST-SHELL-NODE

The component can run operating-system commands or spawn processes.

index.js:43-43 
const { execSync } = require('child_process')
index.js:49-49 
execSync(`npm install ${platformPackageName}@${packageVersion}`, {
index.js:58-58 
execSync(`npm install ${platformPackageName}@${packageVersion} --no-save --prefer-online`, {

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →