Silex

Silex is an online tool for visually creating static sites with dynamic data. With the free/libre spirit of internet, together.

silexlabsbrowser-webJavaScriptAGPL-3.0
GitHub
0Tools
4Findings
2.7kStars
Mar 22, 2026Last Scanned
2 critical · 1 high · 1 low findings detected

Security Category Deep Dive

Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
PI-DIRDirect Input Injection
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
PI-INDIndirect / Gateway Injection
100%4 rules
Hidden instructions via external content and tool responses
PI-CTXContext Manipulation
100%2 rules
Context window saturation and prior-approval exploitation
PI-ENCEncoding & Obfuscation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
PI-TPLTemplate & Output Poisoning
100%2 rules
Injection via prompt templates and runtime tool output
Framework Coverage
OWASP MCP Top 1014/14
MITRE ATLAS14/14
CoSAI MCP2/14
OWASP Agentic Top 1012/14
Kill Chain Phases
0Initial Access
0Defense Evasion
0Execution
0Persistence

Findings4

2critical
1high
1low

Critical2

criticalC5Hardcoded SecretsMCP07-insecure-config
Pattern "AC[a-z0-9]{32}" matched in source_code: "acf00f6b133b7ac24255f2652fa22ae353" (at position 1500)
Move all secrets to environment variables. Use a secrets manager (Vault, AWS Secrets Manager, Doppler) in production. Rotate any exposed credentials immediately. Add a pre-commit hook (e.g. gitleaks, truffleHog) to prevent future leaks.
criticalK9Dangerous Post-Install HooksMCP10-supply-chainAML.T0054
Pattern "["'](?:postinstall|preinstall|install)["']\s*:\s*["'][^"']*(?:curl|wget|node\s|python|bash|sh\s|powershell)" matched in source_code: ""preinstall": "node " (at position 566)
Remove network requests, code execution, and shell commands from install hooks. Post-install scripts should only run build/compile steps (node-gyp, tsc). Use --ignore-scripts flag during CI installations and audit all install hooks before allowing. Required by OWASP ASI04 and CoSAI MCP-T11.

High1

highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "glob@11.0.2" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.

Low1

lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.