Server

Delimit — API Governance for AI Coding Assistants

Published by delimit-ai. Transport: stdio (local). Written in typescript.

Cross-source (2 sources)

View source on GitHub Scan status Methodology

Description

Description below is sourced from the LF AAIF MCP registry. MCPowered surfaces the publisher's own words; the publisher is the warrantor of any claims they make.

API governance for AI coding assistants. Breaking changes, policies, cross-model context.

Provenance

Server id: github/delimit-ai/delimit
Repository: delimit-ai/delimit-mcp-server
Package: npm:delimit-cli
Surfaced by: awesome-mcp-servers , LF AAIF registry
Category: Developer Tools

Scan status

Code axis

21 / 100

Higher is fewer findings; see how the code axis is computed.

Last scanned 2026-05-28T14:10:31Z

Source hash 679c23f3ec9a

Total findings 10 · 2 critical · 3 warning · 5 informational

Checks run Tool description scan , Tool output literal scan , Dependency CVE check , Permission audit

Findings

critical permission_audit methodology

bin/delimit-cli.js:535

Matched execSync(

Suggested action The server has the shell-exec + network-out + fs-write trifecta. This combination enables data exfiltration via shell. Review the install scope before granting.

Patterns trifecta
critical tool_output_literal_scan methodology

lib/hooks-installer.js:338

Matched #!/usr/bin/env node // Delimit MCP Integration Hook - ${hookName} // Auto-generated by Delimit Hooks Installer const axios = require('axios'); const fs = require('fs'); const path = require('path'); async function ${hookName.replace(/-/g, '_')}(context) { const agentUrl = …

Suggested action The output literal mentions environment variables. The LLM should not receive env var names in tool output where it could be tricked into exfiltrating them on a subsequent turn.

Patterns token-extraction
warning tool_output_literal_scan methodology

lib/decision-engine.js:426

Matched ~/.config/delimit/delimit.yml

Suggested action The tool output literal references a sensitive filesystem path. Review whether this content should be returned to the LLM: output payloads naming ~/.ssh/, /etc/passwd, or credential paths are a Return Value Injection vector.

Patterns filepath
warning tool_output_literal_scan methodology

lib/hooks-installer.js:261

Matched #!/bin/sh # Delimit Dynamic Governance Hook - ${hookName} # Auto-generated by Delimit Hooks Installer # Ensure agent is running if ! curl -s http://127.0.0.1:7823/status > /dev/null 2>&1; then echo "Starting Delimit Agent..." nohup node "${pkgRoot}/lib/agent.js" > /dev/…

Suggested action The output literal contains shell-network-call shapes (curl/wget) or exfiltration verbs. Review for instruction injection via tool output: the LLM treats tool returns as trusted context.

Patterns network
warning tool_output_literal_scan methodology

lib/hooks-installer.js:302

Matched #!/usr/bin/env node // Delimit Governance Hook for ${config.name} // Auto-generated by Delimit Hooks Installer const { execSync } = require('child_process'); const path = require('path'); // Governance check async function checkGovernance() { try { const result = e…

Suggested action The output literal contains shell-network-call shapes (curl/wget) or exfiltration verbs. Review for instruction injection via tool output: the LLM treats tool returns as trusted context.

Patterns network
informational permission_audit methodology

gateway/ai/backends/deploy_bridge.py:228

Matched subprocess.run

Suggested action The server spawns subprocesses. Review whether this matches the server's documented purpose.

Patterns subprocess
informational permission_audit methodology

bin/delimit-cli.js:535

Matched execSync(

Suggested action The server uses shell execution. Prefer execFile/spawn with argument arrays over shell strings. See methodology.

Patterns shell-exec
informational permission_audit methodology

adapters/cursor-rules.js:33

Matched fs.writeFileSync

Suggested action The server writes to the filesystem. Verify the server documents which paths it touches.

Patterns fs-write
informational permission_audit methodology

bin/delimit-cli.js:351

Matched fs.readdirSync

Suggested action The server reads from the filesystem. Verify the server documents which paths it accesses.

Patterns fs-read
informational permission_audit methodology

bin/delimit-cli.js:149

Matched axios.get

Suggested action The server makes outbound network calls. Verify the documented destination list matches.

Patterns network-out

What we couldn't check

dynamic_tool_descriptions
Static analysis only sees descriptions hardcoded in source. Servers that compute descriptions at runtime (server-generated tools/list responses) are not covered by Check 1 at v0.
ast_indirection
v0 regex sees only literal description strings. Descriptions assembled by concatenation or pulled through variable indirection evade detection until AST-level extraction lands in v1.

Install configuration

Universal install-config generation across agent clients (Claude Code, Cursor, Windsurf, ChatGPT Apps, Continue, Cline, Zed) is a v0 deliverable. For now, install per the publisher's repository instructions linked above. The auto-generated client-specific configuration block lands here when the install-config generator ships.

Disclaimer

Scan results describe what our static checks found and didn't find at the time of scan. They are not a recommendation, certification, or guarantee. A scanned-clean result is the absence of evidence of malice, not the presence of evidence of integrity. Servers can be compromised after scan. You are responsible for evaluating whether to install any MCP server. See our methodology for what we check, what we can't check, and the limits of static analysis.

MCPowered