BrandCode Studio

Extracts brand identity from websites and Figma files into structured design tokens, brand policies, and AI-consumable guidelines.

→ brand-system/brandsystem-mcp · listed on pulsemcp

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

PulseMCP Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

🚨

Secret credentials may flow to a network call

1 flow detected: FIRECRAWL_API_KEY. We can’t prove the destination matches the brand the credential belongs to.

⚠️

Tool descriptions don’t match what handlers do

3 tools describe read intent but their handlers mutate — brand_check (line 822: re.exec(input)); brand_clarify (line 232: hexPattern.exec(answer)); brand_feedback_review (line 20: mkdir(FEEDBACK_DIR, { recursive: true }))

🚨

Known vulnerabilities in dependencies: 2 critical

Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.

🔐

You'll be asked for 3 credentials: BRANDCODE_MCP_SMOKE_FULL_KEY, BRANDCODE_MCP_SMOKE_READ_KEY, FIRECRAWL_API_KEY

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// known CVEs in dependencies2 critical1 low

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

criticalvitest@3.0.0GHSA-5xrq-8626-4rwp

When Vitest UI server is listening, arbitrary file can be read and executed

criticalvitest@3.0.0GHSA-9crc-q9x8-hgqq

Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

lowyaml@2.7.0GHSA-48c2-rrv3-qjmp

yaml is vulnerable to Stack Overflow via deeply nested YAML collections

Depend on this server? Get alerted when its CVEs change.Watch this server free →

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configBRANDCODE_MCP_ENV

configBRANDCODE_MCP_SMOKE_ASSET_ID

🔐 secretBRANDCODE_MCP_SMOKE_FULL_KEY— "bck_test_..." \

🔐 secretBRANDCODE_MCP_SMOKE_READ_KEY— "bck_test_..." \

configBRANDCODE_MCP_SMOKE_SKIP_FEEDBACK

configBRANDCODE_MCP_SMOKE_TIMEOUT_MS

configBRANDCODE_MCP_SMOKE_URL— "https://mcp.staging.brandcode.studio/{slug}" \

configBRANDCODE_MCP_TEST_KEYS

configBRANDSYSTEM_TELEMETRY

🔐 secretFIRECRAWL_API_KEY

configMCP_CLIENT

configPORT

configUCS_API_BASE_URL

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 10 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/brand-system-brandsystem-mcp-1sbnnq)](https://m8ven.ai/mcp/brand-system-brandsystem-mcp-1sbnnq)

commit: 62d33a65e4b3b765d07ee2b691c22cd2152bdb1c

code hash: 3e7c0365ee8f8c25355f8f0ec678e3a30e3fdabbfd8ffebc11e25eef4d88564b

verified: 6/16/2026, 1:06:49 PM

view raw JSON →