SkillAudit report — neo4j-contrib/mcp-neo4j
Scanned 2026-04-24 by SkillAudit v0.2 (static checks + LLM-assisted prompt-injection red-team).
Commit: dbc01ba · Stars: 940 · Days since last push: 14
LLM prompt-injection probe: no-tool-surface
Overall grade: F (10/100)
| Axis | Score | Grade | |
|---|---|---|---|
| security | 10/100 | F | ❌ |
| permissions | 100/100 | A | ✅ |
| credentials | 100/100 | A | ✅ |
| maintenance | 100/100 | A | ✅ |
| compatibility | 70/100 | C | ⚠️ |
| docs | 90/100 | A | ✅ |
Security findings
Production sources:
- HIGH
servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/aura_api_client.py:39— HTTP client call with user-controlled argument 'auth_url' — no URL allowlist / validation found in file
response = requests.post(auth_url, headers=headers, data=payload)
- HIGH
servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/aura_api_client.py:95— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
response = requests.get(url, headers=self._get_headers())
- HIGH
servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/aura_api_client.py:110— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
response = requests.get(url, headers=self._get_headers())
- HIGH
servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/aura_api_client.py:117— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
response = requests.get(url, headers=self._get_headers())
- HIGH
servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/aura_api_client.py:198— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
response = requests.post(url, headers=self._get_headers(), json=payload)
- HIGH
servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/aura_api_client.py:229— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
response = requests.post(url, headers=self._get_headers())
- HIGH
servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/aura_api_client.py:235— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
response = requests.post(url, headers=self._get_headers())
- HIGH
servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/aura_api_client.py:241— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
response = requests.get(url, headers=self._get_headers())
- HIGH
servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/aura_api_client.py:247— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
response = requests.get(url, headers=self._get_headers())
- HIGH
servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/aura_api_client.py:260— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
response = requests.delete(url, headers=self._get_headers())
Test-site findings (lower weight): 2 total in test/ paths — first 3 shown
- WARN
servers/mcp-neo4j-cloud-aura-api/tests/integration/test_http_transport_IT.py:78— HTTP client call with user-controlled argument 'server_url' (validation markers present but not verified against this call-site)
response = requests.get(server_url.replace("/mcp/", "/health"), timeout=5)
- WARN
servers/mcp-neo4j-cloud-aura-api/tests/integration/test_http_transport_IT.py:128— HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)
response = requests.get(url, timeout=5)
Permissions
_No findings on this axis._
Credentials
_No findings on this axis._
Maintenance
_No findings on this axis._
Compatibility
Production sources:
- WARN
(meta)— No engines (Node) or python_requires declared — cross-client compatibility unverified
Documentation
Production sources:
- WARN
README— README has no usage/example section
no usage section
Methodology
SkillAudit v0.2 clones the repo at the provided ref (default: default branch, HEAD) into an ephemeral sandbox, runs six static checks over .js/.ts/.py sources, queries the GitHub API for maintenance signals, and runs an LLM-assisted prompt-injection red-team over the MCP tool surface. Each axis is scored against the rubric at
The prompt-injection axis extracts each server.tool(...) / @app.tool registration + the first ~60 lines of handler body, hands them to Claude Haiku 4.5 with a red-team system prompt, and asks for structured findings on untrusted-content flow into tool responses. One API call per scan, bounded at ~15K input tokens.
How to improve this grade
- Security — static: validate tool-input URLs against an allowlist before fetch/axios calls; use
execFilewith argv arrays instead ofexecwith template strings; never pass untrusted strings tosubprocesswithshell=True. - Security — prompt injection: never return fetched web-page / file / email content verbatim in a tool response. Wrap with a framing marker (e.g.,
<untrusted-content>...</untrusted-content>), summarize rather than inline, and never let untrusted content share a turn with credentials or other tool output. - Credentials findings: redact env-var reads before log lines and error messages; treat any string that ends up in a tool response as public.
- Maintenance: if the repo is inactive, document the maintenance model — "MCP tool, no breaking changes expected" is a legitimate signal.
- Docs: add a README install + usage section with a copy-pasteable command; add a SECURITY.md with a disclosure channel.
_Report generated by skillaudit.dev_
Want your repo audited?
First 100 audits go to waitlist signups in order. The engine runs against public GitHub URLs today.
Join the waitlist →