Is Graphlit MCP server safe?
graphlit-mcp-server is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 3 risky constructs are reported for review. It can: filesystem read, mcp tools detected and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).
graphlit-mcp-server 1.0.1
- Dangerous MCP tool capability
- Node.js filesystem read
- Node.js network egress
No malicious indicators found by static analysis.
Findings (3)
An MCP tool exposes a powerful capability (files, shell, network, browser, or credentials).
server.tool(
"screenshotPage",server.tool(
"sendWebHookNotification",Why it matters: Wired into an agent, these grant it real access to your machine — confirm each is required.
Fix: Confirm each powerful tool is required and constrained; broad MCP tools (shell/filesystem/network) grant an agent significant host access.
The component reads files from disk.
const fileData = fs.readFileSync(filePath);
Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.
Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.
The component makes outbound network requests.
const fetchResponse = await fetch(url);
Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →