Nightward local-first audit

AI agent and dotfiles safety report

Generated 2026-04-30 18:00:00 UTC on nightward-fixture

Findings
4
Items
1
Signals
4

High / mcp_unpinned_package

MCP server "demo" runs a package executor without an obvious pinned package version.

Replace unversioned or @latest package references with a reviewed explicit version.

Evidence
command=npx args=-y @modelcontextprotocol/server-filesystem $HOME url=

Medium / mcp_secret_env

MCP server "demo" references a sensitive environment key.

Keep secret values outside dotfiles and document required env names only.

Evidence
env.API_TOKEN=${API_TOKEN}

Medium / mcp_broad_filesystem

MCP server "demo" appears to reference broad filesystem access.

Narrow filesystem arguments to explicit project or vault directories.

Evidence
npx -y @modelcontextprotocol/server-filesystem $HOME

Info / mcp_server_review

Review MCP server "demo" before syncing this config.

Confirm this server is intentional and safe for the target machine before syncing.

Evidence
npx -y @modelcontextprotocol/server-filesystem $HOME

Fix Plan

Narrow filesystem access 1 findings

Externalize inline secrets 1 findings

Review finding 1 findings

Pin package executors 1 findings