salesforce-god-agent-mcp

The system presents several potential injection vulnerabilities. The `sf_schedule_apex` tool uses direct string concatenation for constructing an Apex anonymous execution, which is a critical risk if user-controlled input (e.g., `jobName`, `cronExpression`, `className`) is not strictly sanitized against Apex injection. SOQL/SOSL queries (`sf_query`, `sf_query_aggregate`, `sf_search_sosl`) directly use user-provided query strings; while `sf_query` invokes `validateSOQL`, this is primarily for best practices and may not provide full injection prevention. Operations using `conn.request` (`sf_debug_logs_retrieve`, `sf_undelete_records`) with interpolated parameters (`logId`, `sobject`) are also susceptible to path or URL manipulation if input is not rigorously validated. Furthermore, the main server handler uses `args as any` when passing arguments to tool functions, indicating a potential lack of robust runtime validation against the `inputSchema` definitions, allowing for potentially malicious or malformed input to reach the underlying tool logic.