Scanner flagged 5 critical findings in alperhankendi/Ctxo PR #38 that are all false positives. Context below so the heuristics can be tuned.
Findings
1. src/index.ts:140 and src/index.ts:182 — "Very long single-line expression (524/517 chars) — possibly minified or obfuscated code"
These lines are MCP tool description strings passed to server.registerTool(...) from the @modelcontextprotocol/sdk. The description is what LLM clients read to decide when to call a tool, so it is deliberately detailed prose on a single line.
Example (line 152, similar shape to 140/182):
```ts
server.registerTool('get_logic_slice', {
description: 'Retrieve a symbol and all its transitive dependencies as a Logic-Slice. Use this when you need to UNDERSTAND what a symbol depends on (downstream view). L1=signature only, L2=direct deps, L3=full closure, L4=with token budget. ...',
inputSchema: { ... },
annotations: toolAnnotations,
}, handler);
```
Not minified, not obfuscated — it is human-readable English inside a string literal. Suggestion: exclude long string literals from the minification heuristic, or scope the rule to statements containing multiple operators/semicolons rather than raw char count.
2. src/cli/init-command.ts:87-89 — "Unicode-escaped string with 18-33 escape sequences"
These lines are the CTXO ASCII banner rendered by `renderBanner()`, using box-drawing characters (U+2588 full block, U+2557 corner, U+2550 horizontal, etc.). Using `\uXXXX` escapes for non-ASCII source is a standard practice to avoid editor/encoding issues and is recommended by many style guides.
```ts
const art = [
' \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557...',
...
];
```
No data exfiltration or injection vector — just printed to stdout via `console.log` during `ctxo init`. Suggestion: whitelist Unicode ranges associated with box-drawing/block elements (U+2500-U+259F), or suppress this rule when the target variable is clearly used for console output.
Repo context
Ctxo is an MCP server (stdio transport) for AI coding assistants. PR #38 only adds the SafeSkill badge to README.md (+1 line) — the flagged files were not modified in this PR. The scanner's own note in the PR body already excludes CLI capabilities (`child_process`, fs, env) from scoring, but top findings were not filtered by the same logic.
Happy to answer any follow-up questions. Thanks for the tool — the overall report is useful, these specific heuristics just need refinement.
Scanner flagged 5 critical findings in alperhankendi/Ctxo PR #38 that are all false positives. Context below so the heuristics can be tuned.
Findings
1.
src/index.ts:140andsrc/index.ts:182— "Very long single-line expression (524/517 chars) — possibly minified or obfuscated code"These lines are MCP tool
descriptionstrings passed toserver.registerTool(...)from the@modelcontextprotocol/sdk. The description is what LLM clients read to decide when to call a tool, so it is deliberately detailed prose on a single line.Example (line 152, similar shape to 140/182):
```ts
server.registerTool('get_logic_slice', {
description: 'Retrieve a symbol and all its transitive dependencies as a Logic-Slice. Use this when you need to UNDERSTAND what a symbol depends on (downstream view). L1=signature only, L2=direct deps, L3=full closure, L4=with token budget. ...',
inputSchema: { ... },
annotations: toolAnnotations,
}, handler);
```
Not minified, not obfuscated — it is human-readable English inside a string literal. Suggestion: exclude long string literals from the minification heuristic, or scope the rule to statements containing multiple operators/semicolons rather than raw char count.
2.
src/cli/init-command.ts:87-89— "Unicode-escaped string with 18-33 escape sequences"These lines are the CTXO ASCII banner rendered by `renderBanner()`, using box-drawing characters (U+2588 full block, U+2557 corner, U+2550 horizontal, etc.). Using `\uXXXX` escapes for non-ASCII source is a standard practice to avoid editor/encoding issues and is recommended by many style guides.
```ts
const art = [
' \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557...',
...
];
```
No data exfiltration or injection vector — just printed to stdout via `console.log` during `ctxo init`. Suggestion: whitelist Unicode ranges associated with box-drawing/block elements (U+2500-U+259F), or suppress this rule when the target variable is clearly used for console output.
Repo context
Ctxo is an MCP server (stdio transport) for AI coding assistants. PR #38 only adds the SafeSkill badge to README.md (+1 line) — the flagged files were not modified in this PR. The scanner's own note in the PR body already excludes CLI capabilities (`child_process`, fs, env) from scoring, but top findings were not filtered by the same logic.
Happy to answer any follow-up questions. Thanks for the tool — the overall report is useful, these specific heuristics just need refinement.