Hi team, and thanks for building pg-aiguide in the open.
I run Major Labs (majorlabs.co), an independent studio that does read-only static analysis of the public MCP server ecosystem. We scan published source only. We never probe or test running servers, and we never publish per-repo findings, only population-level statistics.
Our tooling flagged several shell=True calls in ingest/postgres_docs.py (around lines 30, 39, 79, 111, and 121) and an outbound request in ingest/tiger_docs.py around line 493. Plainly, shell calls and a fetch in the ingestion pipeline, flagged because they would matter if any input were agent controlled.
This is a static signal, not a confirmed vulnerability, and a non-issue if the ingest pipeline only ever runs on trusted, operator-provided input, which is the usual case. I would rather flag it quietly than publish anything per-repo. If you have a company security address you would prefer I use, or a private advisory on the repo, point me there and I will share the exact lines. Our method is open source at github.com/major-matters/mcp-scanner.
On process: no per-repo findings are published, and no named target list exists. A repo is not eligible for our aggregate counts until 45 days after contact. If anything changes and you are happy for it, I would credit pg-aiguide in a public "fixed since last sweep" list.
Thanks for building in the open,
Charlie, Major Labs
Hi team, and thanks for building pg-aiguide in the open.
I run Major Labs (majorlabs.co), an independent studio that does read-only static analysis of the public MCP server ecosystem. We scan published source only. We never probe or test running servers, and we never publish per-repo findings, only population-level statistics.
Our tooling flagged several
shell=Truecalls iningest/postgres_docs.py(around lines 30, 39, 79, 111, and 121) and an outbound request iningest/tiger_docs.pyaround line 493. Plainly, shell calls and a fetch in the ingestion pipeline, flagged because they would matter if any input were agent controlled.This is a static signal, not a confirmed vulnerability, and a non-issue if the ingest pipeline only ever runs on trusted, operator-provided input, which is the usual case. I would rather flag it quietly than publish anything per-repo. If you have a company security address you would prefer I use, or a private advisory on the repo, point me there and I will share the exact lines. Our method is open source at github.com/major-matters/mcp-scanner.
On process: no per-repo findings are published, and no named target list exists. A repo is not eligible for our aggregate counts until 45 days after contact. If anything changes and you are happy for it, I would credit pg-aiguide in a public "fixed since last sweep" list.
Thanks for building in the open,
Charlie, Major Labs