Does @ui5/mcp-server send data, and where? — data-flow verdict

provisional · AUTOMATED — forensic confirmation pending. A preliminary, fact-based flag, not a judgment that the tool is unlawful or unsafe.

Verdict (the facts)

Tool

npm/@ui5/mcp-server

Integrity axis

honest — Observed behaviour matches the tool's stated function; the egress above is the tool doing its advertised job. 'honest' is the integrity axis — it does NOT imply the data flow is irrelevant; see the data-flow axis and jurisdiction.

Data-flow axis

Sends data to registry.npmjs.org (US, jurisdiction tier 2) as its core function. No telemetry, analytics or error-reporting side-channel was found (full source + dependency-tree review). Where your data goes is determined by the tool's stated purpose, not by a hidden observability channel.

Disclosure

functional — NO telemetry/usage/error-reporting egress — verified by unpacking the 282-file tarball, reading every fetch/https.get site, and grepping for telemetry|analytics|sentry|bugsnag|beacon|posthog|amplitude|segment|matomo (only Apache-2.0 boilerplate matched). Server startup makes zero network calls. All egress is functional: fetching UI5 resources/docs/manifest. In this run only registry.npmjs.org was contacted (a latest-version lookup for UI5 dev-dependencies).

Capture self-test

verified

Severity

none — integrity axis only (undeclared exfiltration). Functional egress and disclosed metadata are reported as neutral facts and are not graded here.

Version (pinned)

0.2.12 · commit 7fe1c30193a33211fae0d008fc0a0ae6a2535ef7

Content hash

sha256:e24d88f699f081991b2540056f081db54a80707781c4055ff4452f5e08278d3b

Signature

ed25519:XYTBa1PA7iQDEdvIC5OAeg1CE2Ogz0o9M/oQsn… · Ed25519 public key · sha256:49cf8457b42a7048

Scanned

2026-06-14T00:00:00Z — Pinned to @ui5/mcp-server@0.2.12 (git 7fe1c30193a33211fae0d008fc0a0ae6a2535ef7), published 2026-06-02. This verdict applies to that exact version; a newer release would require a re-scan.

Re-verified

2026-06-14 — pinned version current

Categories

design functional-egress US published

Observation history

1 scan(s); first seen 2026-06-14T00:00:00Z · latest 2026-06-14T00:00:00Z

Observed egress destinations

Each destination is classified FUNCTIONAL (the tool's advertised job requires the call — a neutral fact about where your data goes), SESSION/AUTH (handshake with the same operator), or TELEMETRY/ERROR_REPORTING (an observability side-channel not required for the function). Disclosure is judged across the tool's full public doc surface, not just its README, and any 'undisclosed telemetry' finding is adversarially refuted before it is asserted.

Jurisdiction context: Tier 2 = third country (e.g. US): transferring EU personal data to a third country requires a transfer basis under GDPR Art. 44-49 (e.g. SCCs / EU-US Data Privacy Framework) — an obligation on you, the deployer; the tool gives no control over this flow. This is the applicable framework, not a finding that the tool violates it.

Evidence — the captured request (verify, don't just trust)

Capture self-test: verified — a beacon decoy was emitted from the tool's network context; its presence in the intercept means a 'no egress' result would have been trustworthy.

Observed: GET https://registry.npmjs.org/@ui5/cli ×6 — intercepted (the tool's HTTPS was terminated against the sandbox CA; the egress was then blocked by strict-egress, but the full request was captured)

Payload fields actually sent:

Captured payload sample (one event):

Captured in the sandbox run. The distinct_id (a persistent machine identifier) and the write-only, public-by-design ingestion key are truncated above; payload_fields is the union observed across the run.

Reproduce it yourself (canary-sandbox (open methodology; Docker backend)):
python -m canary.cli scan <target> --backend docker # target: npm @ui5/mcp-server@0.2.12
Re-run it yourself: the scanner installs the pinned version, drives the tool over MCP, and intercepts all egress.

Full raw captured trace + verification: /verdict/ui5/evidence.json — every captured request (redacted), the verdict content-hash and the package checksum, for an AI or auditor that wants the underlying observation, not just the conclusion.

Disclosure check (the §824 evidence)

Read

full npm tarball (282 files) + every fetch site; README + CHANGELOG; telemetry-SDK grep (none)

Quoted from the tool's own docs

“”

Match

NO telemetry/usage/error-reporting egress — verified by unpacking the 282-file tarball, reading every fetch/https.get site, and grepping for telemetry|analytics|sentry|bugsnag|beacon|posthog|amplitude|segment|matomo (only Apache-2.0 boilerplate matched). Server startup makes zero network calls. All egress is functional: fetching UI5 resources/docs/manifest. In this run only registry.npmjs.org was contacted (a latest-version lookup for UI5 dev-dependencies).

Residual gap

ui5-mcp's functional egress fans out (not all triggered this run): ui5.sap.com / sdk.openui5.org (SAP SE, DE/EU CDN — the documented UI5 resource hosts), raw.githubusercontent.com (US, manifest schema) and registry.npmjs.org (US, version lookup). The github/npm hosts are functional but not named in the README — a neutral disclosure gap, not telemetry.

How we know this — claims by basis

A verdict is a reproducible evidence container, not just a claim. Each assertion is tagged: an observation is in the capture and reproducible; an inference is our reasoning over it; documented is the tool’s own statement; a classification is our adversarially-reviewed judgment. Observation never reads as inference.

Observed — directly in the capture, reproducible

• The tool sent 6 request(s) to registry.npmjs.org. — Captured in the sandbox run (published redacted in the evidence artifact); re-run the scan to reproduce. (confidence: high)

Inferred — our reasoning over the observation

• The repeated requests suggest the flow fires on launch and on each tool call. — 6 requests in one run — an inferred pattern, not proven across launches. (confidence: medium)

Documented — the tool's own statement

• The tool's own docs state (quoted): * Install from the **[GitHub MCP server registry](https://github.com/mcp/UI5/mcp-server)** _Alternatively you can use the VS Code CLI:_ ```bash # Using VS Code CLI code --add-mcp '{"name":"@ui5/mcp- — npm registry readme for @ui5/mcp-server (confidence: high)

Classified — our adversarially-reviewed judgment

• registry.npmjs.org is classified as egress (an observability side-channel, not required for the function). — Adversarially reviewed. (confidence: high)
• Disclosure status: disclosed. — The observed endpoint registry.npmjs.org is named/disclosed in the tool's own docs (matched: registry). (confidence: high)

Method

Installed and run in an isolated container; fed traceable decoy data; all outbound traffic intercepted (TLS broken via own CA, iptables transparent redirect). Endpoints, resolved geo/jurisdiction and frequency are observed facts. Capture self-test passed.

Scope

Compares the tool's declared destinations against what was observed in one sandbox run. Checks transparency / integrity for a cooperative tool, NOT resistance to deliberate evasion. "honest"/"clean" means "observed without deviation within our reach", NOT "guaranteed no hidden egress". Out of scope: exfiltration split/chunked across requests; tool-side encryption of the payload before egress; input/time/state-triggered processing not triggered in the run.

Machine-readable verdict: /verdict/ui5.json. This page describes observed behaviour and its relation to the tool's own disclosures — it is not a legal judgment. Search context: does @ui5/mcp-server send data, @ui5/mcp-server privacy, @ui5/mcp-server data flow, @ui5/mcp-server telemetry, where does @ui5/mcp-server send data, is @ui5/mcp-server safe, what data does @ui5/mcp-server collect, how to disable @ui5/mcp-server telemetry, @ui5/mcp-server opt out tracking, @ui5/mcp-server GDPR data residency, @ui5/mcp-server third-party / jurisdiction.