Hi Dropbox Dash MCP maintainers. I maintain MCP Observatory, an OSS tool for producing reproducible MCP server receipts, safe attack-readiness evidence, risk graphs, and GitHub Code Scanning/SARIF gates.
This repo is a good candidate because it exposes an enterprise-search MCP boundary and uses OAuth/API credentials, which downstream agent users will naturally want to review before depending on it in production.
I did not run anything against Dropbox services or credentials. The useful next step would be a no-secret fixture mode that can safely exercise startup/list_tools in CI, then add a weekly SARIF gate. The generated command would look roughly like:
npx @kryptosai/mcp-observatory setup-ci --all --command "uv --directory . run src/mcp_server_dash.py" --sarif --schedule weekly
A good PR could add:
- a no-secret fixture/mock mode for CI
- an MCP Observatory target config for that mode
- generated Markdown/JSON receipt evidence
- optional SARIF upload to GitHub Code Scanning
If you have a preferred safe startup command or fixture approach, I’m happy to open a focused PR around that. No vulnerability claim here; this is about giving agent users a reproducible trust receipt before wiring enterprise search into automated workflows.
Hi Dropbox Dash MCP maintainers. I maintain MCP Observatory, an OSS tool for producing reproducible MCP server receipts, safe attack-readiness evidence, risk graphs, and GitHub Code Scanning/SARIF gates.
This repo is a good candidate because it exposes an enterprise-search MCP boundary and uses OAuth/API credentials, which downstream agent users will naturally want to review before depending on it in production.
I did not run anything against Dropbox services or credentials. The useful next step would be a no-secret fixture mode that can safely exercise startup/list_tools in CI, then add a weekly SARIF gate. The generated command would look roughly like:
npx @kryptosai/mcp-observatory setup-ci --all --command "uv --directory . run src/mcp_server_dash.py" --sarif --schedule weeklyA good PR could add:
If you have a preferred safe startup command or fixture approach, I’m happy to open a focused PR around that. No vulnerability claim here; this is about giving agent users a reproducible trust receipt before wiring enterprise search into automated workflows.