Is io.github.vdappdev2/address safe to use?

io.github.vdappdev2/address has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install io.github.vdappdev2/address?

io.github.vdappdev2/address supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with io.github.vdappdev2/address?

io.github.vdappdev2/address is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse transport.

Is io.github.vdappdev2/address actively maintained?

io.github.vdappdev2/address is actively maintained — last commit was 24 days ago. It has 2 GitHub stars.

io.github.vdappdev2/address

pnpm

MCP server for Verus addresses — generate, validate, list transparent and shielded addresses

2 103.2M/wk 0 tools GitHub npm

No known CVEs

No license

Actively maintained

Last commit 24d ago

Works with most clients

Transport: stdio, sse

0 tools

Grade F

Edit this pageView history

Other

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "verusidx-chain": {
      "args": [
        "-y",
        "@verusidx/chain-mcp"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-vdappdev2-address)](https://mcppedia.org/s/io-github-vdappdev2-address)

Read me

What io.github.vdappdev2/address does

MCP server for Verus addresses — generate, validate, list transparent and shielded addresses

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

56/100across 5 weighted dimensions

How we score →

0255075100

−44

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

12 fixed

CVE-2026-24131medium · fixedCVSS 4

pnpm has Path Traversal via arbitrary file permission modification

### Summary When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. **Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). ### Details Vulnerable code in `pkg-manager/package-bins/src

Affected: >= 0Fixed in 10.28.2source →

CVE-2026-23888low · fixedCVSS 3.1

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

### Summary A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outsid

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23889low · fixedCVSS 3.1

pnpm has Windows-specific tarball Path Traversal

### Summary A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. **This vulnerability is Windows-only.** ### Details **1. Incomplete Path Normalization (`store/cafs/src/parseTarball.ts:107-110`)** ```typescript if (fileName.includes('./')) { fileName = path.posix.join('/'

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23890low · fixedCVSS 3.1

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. ### Details The vulnerability exists in the bin name validation and normalization logic: **1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)** The filter allows any bin name starting wit

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-24056low · fixedCVSS 3.1

pnpm has symlink traversal in file:/git dependencies

### Summary When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affe

Affected: >= 0Fixed in 10.28.2source →

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is io.github.vdappdev2/address safe to use?: io.github.vdappdev2/address has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install io.github.vdappdev2/address?: io.github.vdappdev2/address supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with io.github.vdappdev2/address?: io.github.vdappdev2/address is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse transport.
Is io.github.vdappdev2/address actively maintained?: io.github.vdappdev2/address is actively maintained — last commit was 24 days ago. It has 2 GitHub stars.

Similar servers

Others in other

View all →

Pi Lean Ctx95

Pi Coding Agent extension (CLI-first) — routes bash/read/grep/find/ls through lean-ctx CLI for strong token savings. Optional MCP bridge can register advanced tools.

2.4k 6

Sigmap94

97% token reduction for AI coding sessions — zero deps, 21 languages, MCP server

499 6

Caveman Shrink93

MCP proxy that compresses prose fields (tool descriptions, etc.) using caveman rules. Same accuracy, fewer context tokens.

68.7k 4

Sunpeak93

App framework, testing framework, and inspector for MCP Apps.

188 1

MCP Security Weekly

Get CVE alerts and security updates for io.github.vdappdev2/address and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Other

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "verusidx-chain": {
      "args": [
        "-y",
        "@verusidx/chain-mcp"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-vdappdev2-address)](https://mcppedia.org/s/io-github-vdappdev2-address)

Read me

What io.github.vdappdev2/address does

MCP server for Verus addresses — generate, validate, list transparent and shielded addresses

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

README

VerusIDX MCP Servers

7 MCP servers giving AI agents direct, local access to the Verus blockchain — 49 tools, zero cloud dependencies. No API keys. No accounts. No intermediary between the agent and the chain.

Works with Claude Code, Cursor, and any MCP-compatible client.

What Can an Agent Do?

Identity — create, update, revoke, and recover VerusIDs (protocol-level blockchain identities with on-chain data storage)
Data — store, retrieve, and decrypt on-chain data; sign and verify with SHA-256, Blake2b, Keccak-256, or Merkle Mountain Range proofs; share decryption access via viewing keys
Send & convert — move currency, convert through fractional baskets, cross-chain transfers via PBaaS bridges
Create currencies — define tokens, fractional reserve baskets, centralized currencies, ERC-20 mapped tokens
Trade — on-chain atomic swaps for currency-for-currency, currency-for-ID, or ID-for-ID
Privacy — shielded transactions via Sapling zero-knowledge proofs

Quick Start

Prerequisites: a running Verus daemon and Node.js 18+.

Add the foundation server to your MCP client config:

{
  "mcpServers": {
    "verusidx-chain": {
      "command": "npx",
      "args": ["-y", "@verusidx/chain-mcp"]
    }
  }
}

Then tell your AI to call refresh_chains — it discovers your local daemons automatically. That's it.

No separate install step — npx fetches and runs the package on demand. Add more servers as you need them (see below).

Servers

Package	Tools	Purpose
`@verusidx/chain-mcp`	11	Foundation — chain discovery, daemon management, health checks, currency lookup, raw transactions, RPC help
`@verusidx/identity-mcp`	11	Create, manage, and query VerusIDs
`@verusidx/send-mcp`	8	Send, convert, and transfer currency; check balances and conversions
`@verusidx/data-mcp`	7	Retrieve, decrypt, sign, and verify on-chain data; manage viewing keys
`@verusidx/address-mcp`	6	Generate, validate, and list transparent and shielded addresses
`@verusidx/marketplace-mcp`	5	On-chain offers and trades
`@verusidx/definecurrency-mcp`	1	Define and launch new currencies

chain-mcp is the foundation. It discovers running daemons and writes a registry file that all other servers read. Install it first. Every tool requires a chain parameter (e.g., "VRSC", "vrsctest") — there is no default chain.

Adding More Servers

Each server is independent — add or remove without affecting the others:

{
  "mcpServers": {
    "verusidx-chain": {
      "command": "npx",
      "args": ["-y

... [View full README on GitHub](https://github.com/vdappdev2/verusidx-mcp#readme)

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

56/100across 5 weighted dimensions

How we score →

0255075100

−44

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

12 fixed

CVE-2026-24131medium · fixedCVSS 4

pnpm has Path Traversal via arbitrary file permission modification

Affected: >= 0Fixed in 10.28.2source →

CVE-2026-23888low · fixedCVSS 3.1

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23889low · fixedCVSS 3.1

pnpm has Windows-specific tarball Path Traversal

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23890low · fixedCVSS 3.1

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-24056low · fixedCVSS 3.1

pnpm has symlink traversal in file:/git dependencies

Affected: >= 0Fixed in 10.28.2source →

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is io.github.vdappdev2/address safe to use?: io.github.vdappdev2/address has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install io.github.vdappdev2/address?: io.github.vdappdev2/address supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with io.github.vdappdev2/address?: io.github.vdappdev2/address is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse transport.
Is io.github.vdappdev2/address actively maintained?: io.github.vdappdev2/address is actively maintained — last commit was 24 days ago. It has 2 GitHub stars.

Similar servers

Others in other

View all →

Pi Lean Ctx95

Pi Coding Agent extension (CLI-first) — routes bash/read/grep/find/ls through lean-ctx CLI for strong token savings. Optional MCP bridge can register advanced tools.

2.4k 6

Sigmap94

97% token reduction for AI coding sessions — zero deps, 21 languages, MCP server

499 6

Caveman Shrink93

MCP proxy that compresses prose fields (tool descriptions, etc.) using caveman rules. Same accuracy, fewer context tokens.

68.7k 4

Sunpeak93

App framework, testing framework, and inspector for MCP Apps.

188 1

MCP Security Weekly

Get CVE alerts and security updates for io.github.vdappdev2/address and similar servers.