Skip to main content
Scans/pypi/mcp-vector-search

mcp-vector-search

pypi

Share

Summary

mcp-vector-search v3.0.74 was classified as CRITICAL RISK with a risk score of 4426. Sigil detected 313 findings across 873 files, covering phases including provenance, install hooks, code patterns, network exfiltration, credential access, obfuscation. Review the findings below before installing this package.

CRITICAL RISK(4426)

v3.0.74

20 March 2026, 03:42 UTC

by Sigil Bot

Risk Score

4426

Findings

313

Files Scanned

873

Provenance

Registry

https://pypi.org/project/mcp-vector-search/3.0.74/

Findings by Phase

Phase Ordering

Phases are ordered by criticality, with the most dangerous at the top. Click any phase header to expand or collapse its findings. Critical phases are expanded by default.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

mcp_vector_search-3.0.74/PKG-INFO:221


### Zero-Config Setup (Recommended)
Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

mcp_vector_search-3.0.74/README.md:73


### Zero-Config Setup (Recommended)
Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/docs/deployment/VERSIONING_WORKFLOW.md:390

make check-tools           # See what's missing
# Install uv: curl -LsSf https://astral.sh/uv/install.sh | sh
# Install git: (varies by system)
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/docs/development/contributing.md:22

# Install UV package manager (if not already installed)
curl -LsSf https://astral.sh/uv/install.sh | sh
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/docs/prd/mcp_vector_search_prd_updated.md:1479

# Project setup with UV (single command)
curl -LsSf https://astral.sh/uv/install.sh | sh
uv init mcp-vector-search --package
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/docs/prd/mcp_vector_search_prd_updated.md:1532

        print("❌ UV not found. Install with:")
        print("   curl -LsSf https://astral.sh/uv/install.sh | sh")
        sys.exit(1)
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/docs/prd/mcp_vector_search_prd_updated.md:1721

# Project setup with UV (single command)
curl -LsSf https://astral.sh/uv/install.sh | sh
uv init mcp-vector-search --package
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/docs/prd/mcp_vector_search_prd_updated.md:1774

        print("❌ UV not found. Install with:")
        print("   curl -LsSf https://astral.sh/uv/install.sh | sh")
        sys.exit(1)
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/docs/research/automatic-setup-command-design-2025-11-30.md:1001

⚠️  Recommendations:
  • Install uv for better package management: curl -LsSf https://astral.sh/uv/install.sh | sh
  • Alternatively, install via pipx: pipx install mcp-vector-search
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/scripts/HOMEBREW_UPDATE_QUICKREF.md:49

```bash
curl -s https://raw.githubusercontent.com/bobmatnyc/homebrew-mcp-vector-search/main/Formula/mcp-vector-search.rb | grep -E '(version|sha256)'
```
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/scripts/dev-mcp:138

    echo "  # or"
    echo "  curl -LsSf https://astral.sh/uv/install.sh | sh"
    echo ""
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/scripts/dev-setup.py:33

        print("❌ UV not found. Install with:")
        print("   curl -LsSf https://astral.sh/uv/install.sh | sh")
        sys.exit(1)
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/scripts/workflow.sh:42

    else
        echo "❌ UV package manager not found - install with: curl -LsSf https://astral.sh/uv/install.sh | sh"
    fi
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/vendor/py-mcp-installer-service/src/py_mcp_installer/mcp_doctor.py:1018

        suggestions = {
            "uv": "Install uv: curl -LsSf https://astral.sh/uv/install.sh | sh",
            "python": "Install Python: https://python.org/downloads",
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

mcp_vector_search-3.0.74/vendor/py-mcp-installer-service/src/py_mcp_installer/mcp_inspector.py:653

        suggestions = {
            "uv": "Install uv: curl -LsSf https://astral.sh/uv/install.sh | sh",
            "python": "Install Python: https://python.org/downloads",
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

Badge

Sigil scan badge for pypi/mcp-vector-search

Markdown

[![Sigil Scan](https://sigilsec.ai/badge/pypi/mcp-vector-search)](https://sigilsec.ai/scans/DF7D24EA-5F3C-442C-8717-C6C3310DB3C5)

HTML

<a href="https://sigilsec.ai/scans/DF7D24EA-5F3C-442C-8717-C6C3310DB3C5"><img src="https://sigilsec.ai/badge/pypi/mcp-vector-search" alt="Sigil Scan"></a>

Run This Scan Yourself

Scan your own packages

Run Sigil locally to audit any package before it touches your codebase.

curl -sSL https://sigilsec.ai/install.sh | sh
Read the docs →Free. Apache 2.0.

Early Access

Get cloud scanning, threat intel, and CI/CD integration.

Join 150+ developers on the waitlist.

Get threat intelligence and product updates

Security research, new threat signatures, and product updates. No spam.

Other pypi scans

nteract

v2.0.3a202603200912

LOW RISK2

swarmauri_transport_wsjsonrpcmux

v0.1.1.dev18

LOW RISK0

swarmauri_vectorstore_annoy

v0.10.0.dev1

LOW RISK0

sage-memory

v0.5.1

CRITICAL RISK1151

mcp-appstore-server

v0.2.0

LOW RISK2

Believe this result is incorrect? Request a review or see our Terms of Service and Methodology.

Scanned bySigil Bot
← Back to Scan Database