npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mcp-stdio-shellguard

v0.1.0

Published

Defense-in-depth bundle for MCP stdio servers: drop-in guard for child_process.exec/spawn, AST audit CLI for unsanitized shell calls, and a reference MCP server that exposes both. Closes the Ox-Security 200k-server stdio-RCE class.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

studiomeyer-iostudiomeyer-io

Keywords

mcpmodel-context-protocolsecurityshell-injectionrcestdioauditsandboxallowlistchild_processdefensive-security

Readme

mcp-stdio-shellguard

Defense-in-depth bundle for MCP stdio servers. Wraps child_process.exec/spawn with allowlist + sandbox + replay-detection, plus an AST audit CLI (mcp-shellguard-audit) that scans MCP server sources for unsanitized shell calls. Closes the Ox-Security MCP stdio-RCE class (200k vulnerable servers, May 2026 disclosure).

  • MCP spec: 2025-06-18
  • SDK: @modelcontextprotocol/sdk ^1.29.0
  • Node: >= 20
  • License: MIT
  • Author: Matthias Meyer (StudioMeyer)

Install

npm install mcp-stdio-shellguard

Or run the audit CLI directly without installing:

npx -y -p mcp-stdio-shellguard mcp-shellguard-audit scan ./src

What it gives you

Three layers, opt-in piecewise:

  1. Library API — drop-in guardExec / guardSpawn you call from your own MCP server. Default-deny allowlist, sandbox profiles, replay window.
  2. Audit CLImcp-shellguard-audit scan <path> walks the AST, reports 12 anti-patterns from LOW (no timeout) to CRITICAL (exec(\...${userInput}...`)`).
  3. Reference MCP servermcp-stdio-shellguard-demo exposes 8 tools so the MCP Inspector / Claude Desktop can drive the bundle directly.

Tools (reference server)

| Tool | Type | Purpose | |------|------|---------| | guard_exec | destructive | Defended child_process.exec. Forces args[] vector, allowlist + sandbox + replay. Returns stdout, stderr, exitCode, canonicalHash, isReplay, trustTier. | | guard_spawn | destructive | Defended child_process.spawn. Returns SHA-256 hashes of stdout/stderr instead of full bodies. Hard-rejects shell:true. | | register_allowlist | mutating | Register a tool name with executable + args regex. Without registration the default-deny applies. | | audit_source | read-only | Scan a TS/JS path for shell-injection anti-patterns. Returns AuditFinding[] + summary. | | audit_report | read-only | Format an audit result as markdown / json / SARIF 2.1.0. | | replay_check | read-only | Compute canonical SHA-256 hash for an invocation and report whether it's already in the replay window. | | sandbox_status | read-only | Report active sandbox profile + concrete limits + cgroup-v2 active flag. | | trust_tier | read-only | Derive LOW/MEDIUM/HIGH/CRITICAL tier for a registered tool plus improvement hints. |

Sandbox profiles

| Profile | Timeout | Max stdout | Max stderr | FD budget | cgroup-v2 | |---------|---------|-----------|-----------|-----------|-----------| | strict | 5 s | 1 MB | 256 KB | 32 | yes (cpu/memory) | | standard (default) | 30 s | 10 MB | 1 MB | 256 | yes | | permissive | 5 min | 100 MB | 10 MB | 1024 | no |

Caller can tighten via timeoutMs / fdBudget per call. Caller cannot widen beyond the profile.

Trust tiers

| Tier | Condition | |------|-----------| | LOW | tool not registered (default-deny) | | MEDIUM | registered but argsPatterns empty (any args allowed) | | HIGH | argsPatterns set but sandbox or replay tracker inactive | | CRITICAL | argsPatterns + sandbox + replay all active |

Lift LOW → CRITICAL by registering the tool + setting argsPatterns + running through guardExec/guardSpawn (which always activate sandbox + replay).

Library quickstart

import {
  AllowlistRegistry,
  ReplayWindow,
  guardExec,
} from "mcp-stdio-shellguard";

const registry = new AllowlistRegistry();
const replay = new ReplayWindow();

registry.register({
  toolName: "git-log",
  executable: "/usr/bin/git",
  argsPatterns: ["^log$", "^--oneline$", "^-n$", "^\\d+$"],
  sandboxProfile: "strict",
});

const result = await guardExec(
  {
    toolName: "git-log",
    command: "/usr/bin/git",
    args: ["log", "--oneline", "-n", "10"],
  },
  { registry, replay },
);

console.log(result.stdout); // → commit lines
console.log(result.trustTier); // → "CRITICAL"
console.log(result.canonicalHash); // → 64-char SHA-256

Audit CLI

mcp-shellguard-audit scan ./src
mcp-shellguard-audit scan ./src --format sarif --output audit.sarif
mcp-shellguard-audit scan ./src --severity-floor HIGH    # CI gate

Exit codes:

  • 0 clean (no findings at-or-above floor)
  • 1 findings present
  • 2 parse / IO errors

Anti-pattern library (12 rules)

| ID | Severity | Triggers on | |----|----------|-------------| | exec_template_literal_with_input | CRITICAL | child_process.exec(\ls ${x}`)| |exec_dynamic_string| CRITICAL |child_process.exec(cmd)| |exec_sync_dynamic_string| CRITICAL |child_process.execSync(cmd)| |eval_near_child_process| CRITICAL |eval(...)| |function_constructor_near_child_process| CRITICAL |new Function(...)| |spawn_dynamic_file_args| HIGH |spawn(bin, userArgs)| |exec_file_dynamic| HIGH |execFile(bin, ...)| |shell_true_option| HIGH |{ shell: true }| |os_system_equivalent| HIGH |Deno.run/Bun.spawn| |spawn_literal_dynamic_args| MEDIUM |spawn('git', userArgs)| |unbounded_buffer| LOW | exec withoutmaxBuffer| |missing_timeout| LOW | exec/spawn withouttimeout` |

Pragmas

  • // shellguard:ignore-next-line — suppress one finding
  • // shellguard:ignore-file — suppress whole file (rare; prefer per-line)

Why this exists

Ox-Security disclosed (2026-05) that 200k+ MCP stdio servers wrap child_process.exec with template literals carrying user input straight from LLM tool args. LiteLLM v1.83.6 was the canonical example (CVE patched in 1.83.7). This bundle is the defensive-security counterpart: a drop-in guard + scanner that closes the class. Inspired by AWS Linux seccomp + Chromium sandbox tiers.

See also

License

MIT — Copyright (c) 2026 Matthias Meyer (StudioMeyer)