DEV Community

Michael Kayode Onyekwere
Michael Kayode Onyekwere

Posted on

AGENTSCORE-2026-0003: `local-mcp` risk change detected

#security #mcp #npm #supplychain

local-mcp updated from 3.0.49 to 3.0.50. Score changed 90/100 to 70/100 (-20). Risk: LOW to MODERATE. 3 findings.

Package

  • Name: local-mcp
  • Version: 3.0.49 to 3.0.50
  • Score: 90/100 to 70/100
  • Risk: LOW to MODERATE

Findings

  • [LOW] install_script: Package has 'postinstall' script: node postinstall.js
  • [HIGH] command_injection: Potential command injection: shell execution with template literal input
  • [LOW] no_provenance: Package is not published with provenance attestations or trusted publishing. Published by: lanchuske

Full advisory: AGENTSCORE-2026-0003

Verdict API: curl https://agentscores.xyz/api/verdict?npm=local-mcp

Auto-published by AgentScore MCP security monitoring.

Top comments (0)