SkillTotal

Is Korea Stock MCP server safe?

korea-stock-mcp is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: install time execution, mcp tools detected, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

korea-stock-mcp 1.4.0

npm_package · https://github.com/jjlabsio/korea-stock-mcp
LOW
0
/ 100 malicious-risk
Snapshot · scanned Jun 20, 2026 · korea-stock-mcp@1.4.0 · engine 0.18.0 / ruleset 19
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Node.js shell/command execution
  • Node.js network egress
  • npm prepare hook

No malicious indicators found by static analysis.

Capabilities — what this component can do (not a risk score):
install time executionmcp tools detectednetwork egressshell execution

Findings (4)

HIGHNode.js shell/command executionST-SHELL-NODE

The component can run operating-system commands or spawn processes.

src/dart/disclosure-xml.ts:110-110 
while ((match = titleRegex.exec(xml)) !== null) {
src/dart/disclosure-xml.ts:172-172 
while ((m = idRegex.exec(xml)) !== null) {

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.

MEDIUMnpm prepare hookST-INSTALL-NPM-PREPARE

package.json has a 'prepare' script (runs on git/local installs and before publishing).

package.json:16-16 
"prepare": "npm run build",

Why it matters: Usually a build step, but confirm it doesn't fetch or run remote code.

Fix: Usually a legitimate build step; confirm it only builds and does not fetch or execute remote code.

MEDIUMNode.js network egressST-NET-NODE

The component makes outbound network requests.

scripts/generate-corp-codes.ts:20-20 
const response = await fetch(url);
src/dart/corp-code-proxy.ts:19-19 
const response = await fetch(PROXY_URL, { signal: controller.signal });
src/utils/request.ts:17-17 
const response = await fetch(
src/utils/request.ts:37-37 
const response = await fetch(url, {

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

LOWMCP tool surface detectedST-MCP-DETECTED

An MCP tool surface (manifest or tool definitions) was found.

server.json:1-1 
{

Why it matters: Just context — review which tools it offers and their permissions.

Fix: Review the declared MCP tools and their permissions.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →