AI-Gateway

The MCP servers themselves (Starlette/FastMCP apps) do not appear to have direct code injection vulnerabilities with 'eval' or 'subprocess.run' on user input. They rely on environment variables for sensitive Azure AD/APIM configuration. Network calls are made using 'httpx' to a configured 'APIM_GATEWAY_URL'. The 'shared/utils.py' module uses 'subprocess.run(command, shell=True)' for executing Azure CLI commands. While this function is used in the context of deployment/cleanup scripts within Jupyter notebooks (labs), if it were exposed to arbitrary user input in a production server, it would be a critical command injection vulnerability. However, it is not part of the core runtime of the MCP tools themselves. The security of the overall solution heavily depends on the correct configuration of Azure API Management, Azure AD, and the underlying cloud resources, which is external to the MCP server code itself but central to the project's purpose.