HackerTrans
トップ新着トレンドコメント過去質問紹介求人

fabriclayer

no profile record

投稿

[untitled]

1 ポイント·投稿者 fabriclayer·4 か月前·0 コメント

コメント

fabriclayer
·5 か月前·議論
The npm comparison is right but I'd argue you're being generous. At least npm had years before the malicious package wave hit. MCP is getting it within months of going mainstream.

Thing is — your scanner catches the dumb mistakes (eval on untrusted input, hardcoded creds). Those devs are careless. The scarier category is servers with zero code vulns because they were written specifically to be malicious. Clean repo, good README, useful-sounding tool name. Passes every static check. Then on day 7 after it's in a thousand configs, the tool description quietly gets a new paragraph that the LLM reads as instructions.

You can't lint your way out of that. It's a trust problem not a code quality problem.

Does MCPShield do any post-install monitoring or is it purely a before you pull the trigger tool?