Is Waystation Ai MCP server safe?
@waystation/mcp is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 6 risky constructs are reported for review. It can: filesystem read, filesystem write, mcp tools detected, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 20/100 (low).
@waystation/mcp 0.3.1
- Node.js shell/command execution
- Possible command injection (exec with dynamic command)
- Node.js filesystem read
No malicious indicators found by static analysis.
Findings (6)
The code builds an OS command out of values that can change at runtime, then runs it through a shell.
execSync(`start "" "${wayStationPath}"`, { shell: 'cmd.exe' });execSync(`osascript -e "${escapeAppleScriptString(applescript)}"`);Why it matters: If any of those values come from untrusted input, an attacker can run their own commands on the machine.
Fix: Use execFile/spawn with an argument array instead of exec; never build a shell command string from external input.
The component can run operating-system commands or spawn processes.
import { execSync } from 'child_process';execSync(`start "" "${wayStationPath}"`, { shell: 'cmd.exe' });execSync(`osascript -e "${escapeAppleScriptString(applescript)}"`);Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.
Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.
The component reads files from disk.
tokenKey = fs.readFileSync(tokenPath, 'utf8').trim();
tokenKey = fs.readFileSync(tokenPath, 'utf8').trim();
Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.
Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.
The component writes or deletes files on disk.
fs.writeFileSync(onboardingFile, 'true');
Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.
Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.
The component makes outbound network requests.
const response = await fetch(`${API_BASE}/tools/list`, {const response = await fetch(`${API_BASE}/tools/call`, {Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
An MCP tool surface (manifest or tool definitions) was found.
const server = new Server({name: "waystation",version: "0.2.2"}, {capabilities: { tools: {} }});Why it matters: Just context — review which tools it offers and their permissions.
Fix: Review the declared MCP tools and their permissions.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →