Example report

IGLIGQ Trust Report: mcp-tool-router

This example shows the report structure. It is not an issued audit and should not be used as proof that any package is safe.

Example review output

mcp-tool-router

MCP Tool List · Medium confidence · Static analysis only · No code execution

81/100Review Required
Critical
0
High
1
Medium
3
Low
6
HighExternal service call requires reviewNET-002 · scripts/send.ts:42 · High
MediumPrompt surface may reduce oversightPROMPT-004 · SKILL.md:18-26 · Medium
Open example report

Artifact

Type
MCP Tool List
Scan date
2026-07-06
Example hash
sample-only-sha256-a12c4d9e8f7b6a5c4d3e2f10987654321fedcba9876543210abcdef1234567890

Dependency and Domain Review

Dependencies: mail-client ^2.8.0, yaml 2.7.0, tsx ^4.20.0

Domains: api.mailprovider.example, oauth.mailprovider.example

Review module

Capability Bill

A structured view of what the package appears able to read, write, call, execute or expose.

Capability evidence example
CapabilityActionSeverityConfidenceEvidence
Network accessCalls external mail APIHighHighscripts/send.ts -> fetch(api.mailprovider.example)
Filesystem writeWrites local export filesMediumMediumsrc/exporter.ts -> fs.writeFile(outputPath)
Prompt surfaceContains oversight-reduction wordingMediumMediumSKILL.md contains autonomous retry and approval-bypass language
Secrets handlingReads environment variablesMediumLowconfig/mail.ts -> process.env.MAIL_API_TOKEN

Review module

Claims vs Behavior

IGLIGQ compares stated purpose with visible behavior, permissions, external services and risky instructions.

Stated purpose

  • Routes tool calls
  • Documents available tools

Observed behavior

  • Exposes write-like tool names
  • Omits auth notes

Mismatch labels

  • Dangerous verbs need clearer user approval language

Risk Findings

HighNET-002

External service call requires review

The package appears to send workflow data to an external mail API. This can be legitimate, but it needs explicit disclosure and approval.

Evidence: scripts/send.ts:42

Recommendation: Disclose the destination domain, add an allowlist and require approval before outbound send actions.

MediumPROMPT-004

Prompt surface may reduce oversight

The instruction text appears to encourage autonomous retry behavior without a clear human approval checkpoint.

Evidence: SKILL.md:18-26

Recommendation: Add an explicit human approval gate for send, post, delete or external transfer actions.

Recommended Actions

  • Add permissions disclosure to the package manifest.
  • Pin dependencies and document external domains.
  • Request IGLIGQ Verified Audit before public listing.

Human review option

Verified Audit for public trust

Request a human-reviewed report when you need a public badge, procurement-ready PDF or enterprise private review. Review payment covers the audit process, not a guaranteed pass.