MCP-INDEX

raye-deng/open-code-reviewcritical

🤖 AI code quality gate for AI-generated code. Detects hallucinated packages, phantom dependencies, stale APIs, and more. MCP Server + CLI + CI/CD Action.

Open Code Review is an MCP server that acts as a quality gate for AI-generated code. It scans codebases for hallucinated imports, stale APIs, over-eng...

purpose: Open Code Review is an MCP server that acts as a qthreat: local with credentials

TypeScript · ★ 23 · May 21, 2026 · ⚙ May 21, 2026 · GITHUB ↗

heuristic signalsshell.exec env.exposure network.http github.access aws.integration filesystem.read filesystem.write browser.automation postgres.access slack.integration

RISK SCORE

0/ 100 risk

low findings+10

medium findings+150

capped at100

VULNERABILITY ANALYSIS · 12 findings in 11 blocks0 HIGH · 10 MEDIUM

MEDIUM1 finding

packages/cli/src/index.ts:434

434      const diffText = execSync(`git diff ${baseRef}...${headRef}`, {
435        cwd: projectRoot,
436        encoding: 'utf-8',
437        maxBuffer: 50 * 1024 * 1024, // 50MB
438      });

packages/cli/src/index.ts:29→packages/cli/src/index.ts:434

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe `--base` and `--head` options are passed directly into a shell command via template literal without sanitization. An attacker controlling these arguments could inject arbitrary shell commands.

IMPACTA compromised LLM could pass malicious branch names (e.g., `origin/main; rm -rf /`) to execute arbitrary commands on the host system.

FIXValidate that `baseRef` and `headRef` match a safe pattern (e.g., alphanumeric, slashes, dots, hyphens) or use `git` with `--no-optional-locks` and pass arguments as separate array elements to `execSync`.

MEDIUM1 finding

packages/cli/src/index.ts:1095

1095  if (parsed.output && parsed.output !== 'prompts') {
1096    writeFileSync(parsed.output, reportMarkdown, 'utf-8');
1097    console.error(`  Report written to: ${parsed.output}`);
1098  }

packages/cli/src/index.ts:25→packages/cli/src/index.ts:1095

// Local-only MCP, requires compromised LLM to exploit

EXPLAINSame vulnerability as in scan command: the `--output` path is used directly without validation, allowing arbitrary file writes.

IMPACTA compromised LLM could overwrite arbitrary files on the system.

FIXRestrict output paths to a designated directory and validate against path traversal.

MEDIUM1 finding

packages/cli/src/index.ts:499

499  if (parsed.output) {
500    writeFileSync(parsed.output, outputStr, 'utf-8');
501    console.error(`Report written to: ${parsed.output}`);
502  }

packages/cli/src/index.ts:25→packages/cli/src/index.ts:499

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe `--output` option is used directly as a file path without validation. An attacker could write to arbitrary locations, potentially overwriting critical files.

IMPACTA compromised LLM could overwrite configuration files, source code, or system files by controlling the output path.

FIXRestrict output paths to a designated output directory (e.g., project root or a temp dir) and validate that the path does not contain traversal sequences.

MEDIUM1 finding

packages/cli/src/index.ts:736

736  if (output) {
737    writeFileSync(output, report, 'utf-8');
738    console.error(`Report written to: ${output}`);
739  }

packages/cli/src/index.ts:25→packages/cli/src/index.ts:736

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe V3 scan command also uses the `--output` path directly without validation.

IMPACTA compromised LLM could overwrite arbitrary files.

FIXRestrict output paths to a designated directory.

MEDIUM1 finding

packages/cli/src/index.ts:1103

1103  const sarifDir = parsed.output ? resolve(parsed.output, '..') : projectRoot;
1104  const sarifPath = resolve(sarifDir, 'ocr-heal-report.sarif.json');
1105  try {
1106    writeFileSync(sarifPath, reporter.generateSARIF(healReport, aggregate), 'utf-8');
1107    console.error(`  SARIF report: ${sarifPath}`);
1108  } catch {
1109    // Ignore SARIF write errors
1110  }

packages/cli/src/index.ts:25→packages/cli/src/index.ts:1103

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe SARIF report path is derived from `parsed.output` using `resolve(parsed.output, '..')`, which can be manipulated to write outside the intended directory.

IMPACTA compromised LLM could write a SARIF file to an arbitrary location by controlling the output path.

FIXUse a fixed output directory for SARIF reports or validate the resolved path.

MEDIUM1 finding

packages/cli/src/index.ts:745

745    const healPath = output ? output.replace(/\.\w+$/, '.heal.md') : 'ai-heal-prompt.md';
746    writeFileSync(healPath, prompt, 'utf-8');
747    console.error(`AI heal prompt written to: ${healPath}`);

packages/cli/src/index.ts:25→packages/cli/src/index.ts:745

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe heal prompt path is derived from the output path by replacing the extension, which can be manipulated to write to arbitrary locations.

IMPACTA compromised LLM could write a heal prompt file to an arbitrary location.

FIXRestrict output paths to a designated directory.

MEDIUM2 findings

packages/cli/src/index.ts:343

343  const scanPath = parsed.paths[0] ?? '.';
344  const projectRoot = resolve(scanPath);

MEDIUM1 finding

packages/cli/src/index.ts:685

685    for (const p of paths) {
686      try {
687        if (existsSync(p) && statSync(p).isDirectory()) {
688          expandedPaths.push(
689            `${p}/**/*.ts`, `${p}/**/*.js`,
690            `${p}/**/*.tsx`, `${p}/**/*.jsx`,
691          );
692        } else {
693          expandedPaths.push(p);
694        }
695      } catch {
696        expandedPaths.push(p);
697      }
698    }

packages/cli/src/index.ts:25→packages/cli/src/index.ts:685

// Local-only MCP, requires compromised LLM to exploit

EXPLAINUser-provided paths are used directly in glob patterns without validation, allowing reading files outside the intended scope.

IMPACTA compromised LLM could read arbitrary files by specifying paths like `/etc/passwd`.

FIXValidate that paths are within the project directory.

MEDIUM1 finding

packages/cli/src/index.ts:1013

1013    for (const p of parsed.paths) {
1014      expandedPaths.push(`${p}/**/*.ts`, `${p}/**/*.js`, `${p}/**/*.tsx`, `${p}/**/*.jsx`,
1015        `${p}/**/*.py`, `${p}/**/*.java`, `${p}/**/*.go`, `${p}/**/*.kt`);
1016    }

packages/cli/src/index.ts:25→packages/cli/src/index.ts:1013

// Local-only MCP, requires compromised LLM to exploit

EXPLAINSame issue as V3 scan: user-provided paths are used directly in glob patterns.

IMPACTA compromised LLM could read arbitrary files.

FIXValidate that paths are within the project directory.

LOW1 finding

packages/cli/src/index.ts:968

968          const configManager = new ConfigManager();
969          configManager.set('apiKey', value);
970          console.log('✓ API key saved');

packages/cli/src/index.ts:31→packages/cli/src/index.ts:968

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe `config set api-key` command stores the API key in a configuration file (likely `~/.aicv/config.yml`) in plaintext. While this is a local file, it could be read by other processes or users.

IMPACTAn attacker with local access could retrieve the stored API key.

FIXEncrypt the API key or store it in a system keychain.

LOW1 finding

packages/cli/src/index.ts:843

843    LicenseValidator.saveLicenseKey(trimmedKey);

packages/cli/src/index.ts:41→packages/cli/src/index.ts:843

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe license key is saved to `~/.aicv/license` in plaintext.

IMPACTAn attacker with local access could retrieve the license key.

FIXEncrypt the license key or store it in a system keychain.

◷ 5/21/2026

Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.