Hi from Anthropic π
We reviewed CodeAnt AI for inclusion in the Anthropic MCP Directory. We found several items that need to be addressed before we can list the server.
Required
-
File path validation β We observed that the ls, read, glob, and grep tools resolve user-supplied paths against the working directory using path.resolve but do not verify the resolved path remains inside that directory, so inputs like ../../etc reach the filesystem outside the intended scope. Please add a boundary check (e.g., reject when resolved.startsWith(cwd) is false) on each of these tools.
-
Privacy policy URL β We observed the privacy_policies URL in the manifest (https://codeant.ai/privacy) returns 404 after redirect. Please point this field at a live policy page.
-
Configuration disclosure β We observed the server reads a number of environment variables that are not declared in the manifest's user_config or mcp_config.env, including access tokens and URLs for Azure DevOps, Bitbucket, GitHub, and GitLab (the full set is visible in the source's process.env.* references). Please declare each one users are expected to set (with sensitive: true for tokens) so the install flow can collect them and the server's behavior is discoverable from the manifest.
-
Headless startup β We observed the server opens a browser during MCP initialization when no API token is present. Please remove the automatic browser launch from the init path and instead surface a clear error or no-op until the user invokes the existing codeant_login tool, so the server runs cleanly in headless and automated environments.
Recommended
-
Telemetry disclosure β We observed PostHog telemetry is initialized by default with opt-out via CODEANT_TELEMETRY_DISABLED. Please add a short note to the manifest long_description disclosing the collection and the opt-out variable.
-
Documentation URLs β We observed the manifest's support and documentation URLs (https://docs.codeant.ai/support, https://docs.codeant.ai/cli/claude-code-plugin) both return 404. Please update them to live pages or remove the fields until the docs are published.
We're happy to re-review once these are addressed. Feel free to reach out with any questions.
Hi from Anthropic π
We reviewed
CodeAnt AIfor inclusion in the Anthropic MCP Directory. We found several items that need to be addressed before we can list the server.Required
File path validation β We observed that the
ls,read,glob, andgreptools resolve user-supplied paths against the working directory usingpath.resolvebut do not verify the resolved path remains inside that directory, so inputs like../../etcreach the filesystem outside the intended scope. Please add a boundary check (e.g., reject whenresolved.startsWith(cwd)is false) on each of these tools.Privacy policy URL β We observed the
privacy_policiesURL in the manifest (https://codeant.ai/privacy) returns 404 after redirect. Please point this field at a live policy page.Configuration disclosure β We observed the server reads a number of environment variables that are not declared in the manifest's
user_configormcp_config.env, including access tokens and URLs for Azure DevOps, Bitbucket, GitHub, and GitLab (the full set is visible in the source'sprocess.env.*references). Please declare each one users are expected to set (withsensitive: truefor tokens) so the install flow can collect them and the server's behavior is discoverable from the manifest.Headless startup β We observed the server opens a browser during MCP initialization when no API token is present. Please remove the automatic browser launch from the init path and instead surface a clear error or no-op until the user invokes the existing
codeant_logintool, so the server runs cleanly in headless and automated environments.Recommended
Telemetry disclosure β We observed PostHog telemetry is initialized by default with opt-out via
CODEANT_TELEMETRY_DISABLED. Please add a short note to the manifestlong_descriptiondisclosing the collection and the opt-out variable.Documentation URLs β We observed the manifest's
supportanddocumentationURLs (https://docs.codeant.ai/support,https://docs.codeant.ai/cli/claude-code-plugin) both return 404. Please update them to live pages or remove the fields until the docs are published.We're happy to re-review once these are addressed. Feel free to reach out with any questions.