SkillTotal

Is Express safe?

No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Node.js network egress

express is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 1 risky construct are reported for review. It can: network egress — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

express 5.2.1

npm_package · npm:express
LOW
0
/ 100 risk score
Snapshot · scanned Jul 5, 2026 · express@5.2.1 · engine 0.32.0 / ruleset 30

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of Express's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
network egress

Findings (1)

MEDIUMNode.js network egressST-NET-NODE

The component makes outbound network requests.

var http = require('node:http');
*    var http = require('node:http')
*      , https = require('node:https')
var http = require('node:http');
var http = require('node:http');
var { METHODS } = require('node:http');

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →