dataroma-mcp

v0.1.2 suspicious
6.0
Medium Risk

An MCP server for Dataroma to access superinvestor holdings and trades

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits moderate risks due to its metadata characteristics and potential network misuse, suggesting possible unauthorized data access. Further investigation is required.

  • network risk (5/10)
  • metadata risk (7/10)
Per-check LLM notes
  • Network: The network calls suggest the package is fetching data from an external source, which could be legitimate but requires further investigation to ensure it's not engaging in unauthorized data exfiltration.
  • Shell: No shell execution patterns were detected, indicating low risk for direct command execution.
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: The package shows several red flags including a new and low-effort account, single commit history, and lack of community engagement, indicating potential risk.

🔬 Heuristic Checks

Outbound Network Calls score 7.5

Found 5 network call pattern(s)

  • rl = BASE_URL response = requests.get(url, headers=HEADERS) if response.status_code != 200:
  • {manager_id}" response = requests.get(url, headers=HEADERS) if response.status_code != 200:
  • sym={symbol}" response = requests.get(url, headers=HEADERS) if response.status_code != 200:
  • managers.php" response = requests.get(url, headers=HEADERS) if response.status_code != 200:
  • RL}/m/rt.php" response = requests.get(url, headers=HEADERS) if response.status_code != 200:
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: gmail.com>

Suspicious Page Links

All external links appear legitimate

Git Repository History score 5.0

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
  • Single contributor with only 3 commit(s) — possibly throwaway account
Maintainer History score 8.0

4 maintainer concern(s) found

  • Package uploaded less than 24 hours ago (2026-06-05T07:05:20.000Z)
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)