Is Docfork MCP server safe?
docfork is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 6 risky constructs are reported for review. It can: install time execution, mcp tools detected, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 20/100 (low).
docfork 2.1.0
- Node.js shell/command execution
- Possible command injection (exec with dynamic command)
- npm install-time lifecycle hook
No malicious indicators found by static analysis.
Findings (6)
The code builds an OS command out of values that can change at runtime, then runs it through a shell.
exec(`${cmd} "${url}"`, () => {Why it matters: If any of those values come from untrusted input, an attacker can run their own commands on the machine.
Fix: Use execFile/spawn with an argument array instead of exec; never build a shell command string from external input.
package.json runs scripts automatically when the package is installed.
"preinstall": "npx only-allow pnpm",
Why it matters: Install scripts are a favorite supply-chain foothold — they execute on every machine that installs the package.
Fix: Inspect the hook command. Install-time scripts are a common supply chain execution vector; ensure they do nothing beyond a documented build step.
An MCP server entry launches a command on your host.
"command": "node",
Why it matters: Trusting the manifest means running that binary — verify what it is and where it comes from.
Fix: Verify the launched command and its source before trusting this MCP server configuration.
The component can run operating-system commands or spawn processes.
import { execFile } from "node:child_process";import { exec } from "node:child_process";exec(`${cmd} "${url}"`, () => {Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.
Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.
The component makes outbound network requests.
response = await fetch(url.toString(), {response = await fetch(url, {response = await fetch(`${WORKOS_BASE_URL}/user_management/authorize/device`, {response = await fetch(`${WORKOS_BASE_URL}/user_management/authenticate`, {return fetch(TELEMETRY_URL, {const response = await fetch(url.toString(), {const response = await fetch(url.toString(), {await fetch(TELEMETRY_URL, {const upstream = await fetch(`${AUTH_SERVER_URL}/.well-known/oauth-authorization-server`);Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
An MCP tool surface (manifest or tool definitions) was found.
"mcpServers": {"mcpServers": {server.registerTool(
server.registerTool(
Why it matters: Just context — review which tools it offers and their permissions.
Fix: Review the declared MCP tools and their permissions.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →