mcp-cli-ent

The primary security consideration is the tool's core function: executing external commands (e.g., via `npx`) and connecting to external HTTP/stdio-based MCP servers based on user-provided configurations (`mcp_servers.json`). If a malicious configuration is loaded, it can lead to arbitrary code execution. The `client/stdio.go` directly executes `os/exec.Command` based on `ServerConfig.Command` and `ServerConfig.Args`. While this is an inherent design aspect for a tool meant to bridge to other services, it emphasizes the critical need for users to only use trusted `mcp_servers.json` files and `npx` packages. Sensitive API keys are handled securely via environment variable substitution. The `curl | bash` installation method, while common for CLIs, inherently carries a risk of executing compromised remote code. The project emphasizes reproducible builds and checksum verification for the `mcp-cli-ent` binary itself.