local_mcp

The server's core function is to execute arbitrary external commands (MCP servers) configured by the user via `command` and `args` in `nativemessaging.json`. This means a malicious external server, if configured, could run arbitrary code with the user's permissions, including accessing local files or making network requests. While the code itself does not contain 'eval' or direct malicious patterns, it acts as an execution environment for user-defined binaries/scripts without sandboxing. The README explicitly warns about this risk, stating 'Does not provide sandboxing: External servers run with your user's permissions. Malicious servers could access your files. Only enable trusted servers.' The use of an HMAC-based `tool_unlock_token` helps ensure the AI has read documentation before executing, but doesn't prevent malicious server behavior itself. The `env` field for subprocesses is used to pass sensitive information like API keys, which is a standard practice but relies on the security of the configuration file and the external server itself.