SkillTotal

Is Web Scout MCP server safe?

@pinkpixel/web-scout-mcp is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: filesystem read, filesystem write, mcp tools detected and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

@pinkpixel/web-scout-mcp 1.5.6

npm_package · https://github.com/pinkpixel-dev/web-scout-mcp
LOW
0
/ 100 malicious-risk
Snapshot · scanned Jun 20, 2026 · @pinkpixel/web-scout-mcp@1.5.6 · engine 0.18.0 / ruleset 19
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Node.js filesystem read
  • Node.js filesystem write/delete
  • Node.js network egress

No malicious indicators found by static analysis.

Capabilities — what this component can do (not a risk score):
filesystem readfilesystem writemcp tools detectednetwork egress

Findings (4)

MEDIUMNode.js filesystem readST-FS-NODE-READ

The component reads files from disk.

src/index.ts:250-250 
const fileData = await fs.readFile(tempFilePath, 'utf-8');

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMNode.js filesystem write/deleteST-FS-NODE-WRITE

The component writes or deletes files on disk.

src/index.ts:217-217 
await fs.unlink(file);
src/index.ts:247-247 
await fs.writeFile(tempFilePath, html);
src/index.ts:269-269 
await fs.unlink(tempFilePath);

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMNode.js network egressST-NET-NODE

The component makes outbound network requests.

src/index.ts:5-5 
import axios from "axios";
src/index.ts:129-129 
const response = await axios.post(
src/index.ts:182-182 
if (axios.isAxiosError(error) && error.code === 'ECONNABORTED') {
src/index.ts:184-184 
} else if (axios.isAxiosError(error)) {
src/index.ts:305-305 
const response = await axios.get(urlStr, {
src/index.ts:319-319 
if (axios.isAxiosError(error) && error.code === 'ECONNABORTED') {
src/index.ts:322-322 
} else if (axios.isAxiosError(error)) {

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

LOWMCP tool surface detectedST-MCP-DETECTED

An MCP tool surface (manifest or tool definitions) was found.

OVERVIEW.md:59-59 
const server = new Server(
src/index.ts:393-393 
server.registerTool(
src/index.ts:428-428 
server.registerTool(

Why it matters: Just context — review which tools it offers and their permissions.

Fix: Review the declared MCP tools and their permissions.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →