SkillTotal

Is GitMCP safe?

git-mcp is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 3 risky constructs are reported for review. It can: install time execution, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

git-mcp 1.0.0

npm_package · https://github.com/idosal/git-mcp
LOW
0
/ 100 malicious-risk
Snapshot · scanned Jun 20, 2026 · git-mcp@1.0.0 · engine 0.18.0 / ruleset 19
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Node.js shell/command execution
  • Node.js network egress
  • npm prepare hook

No malicious indicators found by static analysis.

Capabilities — what this component can do (not a risk score):
install time executionnetwork egressshell execution

Findings (3)

HIGHNode.js shell/command executionST-SHELL-NODE

The component can run operating-system commands or spawn processes.

app/chat/components/markdown.tsx:21-21 
const match = /language-(\w+)/.exec(className || "");
worker-configuration.d.ts:2235-2235 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
worker-configuration.d.ts:4670-4670 
exec(query: string): Promise<D1ExecResult>;

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.

MEDIUMnpm prepare hookST-INSTALL-NPM-PREPARE

package.json has a 'prepare' script (runs on git/local installs and before publishing).

package.json:18-18 
"prepare": "husky"

Why it matters: Usually a build step, but confirm it doesn't fetch or run remote code.

Fix: Usually a legitimate build step; confirm it only builds and does not fetch or execute remote code.

MEDIUMNode.js network egressST-NET-NODE

The component makes outbound network requests.

src/api/utils/cache.ts:279-279 
const response = await fetch(url, {
src/api/utils/githubClient.ts:171-171 
const response = await fetch(url, {
src/api/utils/helpers.ts:85-85 
const response = await fetch(url);
src/api/utils/robotsTxt.ts:142-142 
const response = await fetch(robotsTxtUrl);
src/index.ts:105-105 
async fetch(request: Request, env: any, ctx: any) {
src/index.ts:152-152 
return await MyMCP.serve("/*").fetch(request, env, ctx);
src/utils.ts:179-179 
const res = await env.ASSETS.fetch(`${origin}/README.md`);
worker-configuration.d.ts:230-230 
fetch(input: RequestInfo | URL, init?: RequestInit<RequestInitCfProperties>): Promise<Response>;
worker-configuration.d.ts:326-326 
declare function fetch(input: RequestInfo | URL, init?: RequestInit<RequestInitCfProperties>): Promise<Response>;
worker-configuration.d.ts:413-413 
fetch(request: Request): Response | Promise<Response>;
worker-configuration.d.ts:1427-1427 
fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →