// npm package
lokal-mcp
MCP server for Rett fra Bonden — find local food producers in Norway via Claude Desktop. Returns ranked producers with contact info and vCard links.
versions
8
maintainers
1
license
MIT
first publish
2026-04-02
publisher
slookisen
tarball
19,320 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-15
// exfil path
what is read → where it shipssteals
- ● MCP config
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> const BASE_URL = process.env.LOKAL_URL || "https://rettfrabonden.com";
> const res = await fetch(url, {
> const res = await fetch(url, {
> if (pathOrUrl.startsWith("http://") || pathOrUrl.startsWith("https://")) return pathOrUrl;
> "url": "git+https://github.com/slookisen/lokal.git"// offending code· @0.4.0· 2 files flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 other host(s).
- @0.4.0··AUTO-PUBLISHED·publisher: slookisenheuristic 75/100static flags 3llm benign (0.85) via ollamanew-publisher:11dhas-source-repoai-agent-frameworkosv-flagged:MAL-2026-4602reads-mcp-configreads-env-varspublic-github-push
→ No suspicious destination, no remote-exec shape — 1 other host(s).
// offending code· 2 files flaggedpatterns: 3
--- package/index.js (excerpt) --- #!/usr/bin/env node /** * Lokal MCP Server — Find local food in Norway via Claude Desktop * * Install: * npx lokal-mcp * * Or add to Claude Desktop config (~/.claude/claude_desktop_config.json): * { * "mcpServers": { * "lokal": { * "command": "npx", * "args": ["lokal-mcp"] * } * } * } */ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; import { z } from "zod"; const BASE_URL = process.env.LOKAL_URL || "https://rettfrabonden.com"; // ── Helpers ────────────────────────────────────────────────── async function fetchJSON(url) { const res = await fetch(url, { headers: { "Accept": "application/json", "User-Agent": "lokal-mcp/0.2.0" }, }); if (!res.ok) throw new Error(`HTTP ${res.status}: ${res.statusText}`); return res.json(); } async function postJSON(url, body) { const res = await fetch(url, { method: "POST", headers: { "Content-Type": "application/json", "Accept": "application/json", "User-Agent": "lokal-mcp/0.2.0", }, body: JSON.stringify(body), }); if (!res.ok) throw new Error(`HTTP ${res.status}: ${res.statusText}`); return res.json(); } function absoluteUrl(pathOrUrl) { if (!pathOrUrl) return undefined; if (pathOrUrl.startsWith("http://") || pathOrUrl.startsWith("https://")) return pathOrUrl; return ` --- package/package.json (excerpt) --- { "name": "lokal-mcp", "version": "0.4.0", "mcpName": "io.github.slookisen/lokal-mcp", "description": "MCP server for Rett fra Bonden \u2014 find local food producers in Norway via Claude Desktop. Returns ranked producers with contact info and vCard links.", "main": "index.js", "bin": { "lokal-mcp": "index.js" }, "type": "module", "files": [ "index.js", "README.md" ], "keywords": [ "mcp", "claude", "lokal", "food", "norway", "a2a", "local-food", "vcard", "rett-fra-bonden" ], "author": "Daniel Fredriksen", "license": "MIT", "dependencies": { "@modelcontextprotocol/sdk": "^1.12.1", "zod": "^3.23.8" }, "repository": { "type": "git", "url": "git+https://github.com/slookisen/lokal.git" } }
