mcp-code-mode

CRITICAL RISK: By default, the server uses `LocalPythonExecutor` (as specified in `executor_server.py` via `_EXECUTOR_BACKEND = 'local'`). This executor runs user-provided or LLM-generated Python code using `exec()` within the same Python process as the server itself. This grants the executed code full access to the host system's filesystem, network, and environment variables (including any API keys present in the server's environment). While `policies.py` attempts to filter dangerous imports like 'subprocess' or 'open()', these are string-based checks and can often be bypassed by a determined attacker or a clever LLM. The `SandboxedPythonExecutor` offers much stronger isolation (Deno+Pyodide, network/filesystem restrictions) but is explicitly *not* the default due to stated limitations with HTTP requests (which are necessary for the tool bridge). Running this server in its default configuration with untrusted input (e.g., from a public API or a public Hugging Face Space) poses a severe code execution vulnerability, allowing arbitrary code execution on the host machine.