Is Ref Tools MCP server safe?
ref-tools-mcp is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 2 risky constructs are reported for review. It can: mcp tools detected and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).
ref-tools-mcp 3.0.3
- Node.js network egress
- MCP tool surface detected
No malicious indicators found by static analysis.
Findings (2)
The component makes outbound network requests.
import axios from 'axios'
const response = await axios.get(url, {if (axios.isAxiosError(error) && error.response?.status === 401) {text: `Error during documentation search: ${axios.isAxiosError(error) ? error.message : (error as Error).message}`,const response = await axios.get(readUrl, {if (axios.isAxiosError(error) && error.response?.status === 401) {text: `Error reading URL: ${axios.isAxiosError(error) ? error.message : (error as Error).message}`,Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
An MCP tool surface (manifest or tool definitions) was found.
Why it matters: Just context — review which tools it offers and their permissions.
Fix: Review the declared MCP tools and their permissions.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →