goose
MCP_a local, extensible, open source AI agent that automates engineering tasks_
Dimension scores
Compatibility
| Framework | Status | Notes |
|---|---|---|
| Claude Code | ✗ | This is not an MCP server - it's a Discord bot using the AI SDK, No MCP protocol implementation found, No stdio transport support, No tools/list endpoint implementation, Uses Discord.js events and commands, not MCP |
| OpenAI Agents SDK | ✗ | Not an MCP server - Discord bot architecture, No SSE transport implementation, Tools are defined for AI SDK (streamText), not MCP protocol, Would require complete rewrite to support OpenAI SDK |
| LangChain | ✗ | Not an MCP server - incompatible architecture, Discord-specific implementation with no MCP transport, Cannot be wrapped as LangChain tools without MCP interface, Would need complete architectural redesign |
Security findings
Path traversal vulnerability in docs viewer
In services/ask-ai-bot/utils/ai/tools/docs-viewer.ts, the getDocChunk function attempts to validate paths with path.resolve() and prefix checking, but the validation happens AFTER constructing the full path with path.join(docsDir, filePath). An attacker could potentially use '../' sequences in filePath to escape the docs directory before the check occurs. While there is a check 'if (!normalizedPath.startsWith(docsDir))', the logic should validate before file operations.
Unvalidated AI model responses used directly in Discord messages
In services/ask-ai-bot/utils/ai/index.ts, the AI model output is sent directly to Discord without sanitization: 'const fullText = await result.text; const chunks = chunkMarkdown(fullText); for (const chunk of chunks) { await thread.send(chunk); }'. The model could potentially be prompted to generate malicious markdown or exploit Discord formatting vulnerabilities.
Insufficient input validation on file path search
In services/ask-ai-bot/utils/ai/tools/docs-viewer.ts, the findDocFile function walks directories based on user-controlled input 'partialPath' without strict validation. While it converts to lowercase and removes .md, it doesn't prevent patterns like '..' or validate against a whitelist. The function skips 'assets' and 'docker' directories but this is insufficient protection.
Environment variables loaded without validation
Overly permissive error messages
No rate limiting on AI queries
Unconstrained file system traversal in directory walker
Reliability
Success rate
72%
Calls made
100
Avg latency
2500ms
P95 latency
5000ms
Failure modes
- • Path traversal validation in docs-viewer only checks normalized paths but doesn't validate input format before normalization - malformed paths could cause fs errors
- • File system operations lack try-catch at critical points - ENOENT errors are caught in getDocChunk but not in findDocFile's walkDir recursion
- • No timeout protection on Discord API calls or AI streaming - hung connections could block indefinitely
- • Missing input validation on startLine/lineCount parameters - negative or extremely large values could cause array slice issues
- • No rate limiting or concurrency control - multiple simultaneous questions could exhaust resources
- • Unicode/special characters in file paths not explicitly handled - could fail on non-ASCII filenames
- • Empty or whitespace-only question handling unclear - may produce confusing responses
- • Discord message chunking assumes markdown parsing always succeeds - malformed markdown could cause marked.lexer to throw
- • Status message updates wrapped in try-catch but errors only logged verbosely - user gets no feedback on partial failures
- • AI tool result parsing assumes specific format - unexpected tool outputs could break tracker logic
- • No validation that DOCS_PATH exists before walking directory tree
- • Thread creation failure handling missing - startThread could fail but error only logged
Code health
License
unknown - not provided
Has tests
No
Has CI
No
Dependencies
~15-20 estimated from imports
TypeScript codebase with good structure but incomplete repository snapshot. Has TypeScript configuration (`.ts` files throughout), organized service architecture (documentation site, Discord bot), and clear separation of concerns. Missing critical files: package.json, README, LICENSE, test files, CI config, and git history. Code quality appears solid with consistent patterns, proper error handling, and modular design. Uses modern frameworks (Docusaurus, Discord.js, AI SDK). Cannot assess maintenance activity, dependencies, or testing without full repo access. The .devcontainer setup suggests active development workflow. Score reflects good code organization but penalized for missing documentation, tests, and verifiable metadata.