Fusion-Mcp-Server

The server architecture involves two local Python servers: an MCP server (`server.py`) communicating with Claude Desktop via stdio, and a Fusion 360 HTTP server (`fusion_http_server.py`) running within Fusion 360 on `localhost:8080`. The Fusion HTTP server is only accessible from the local machine, significantly limiting external attack surface. It directly processes tool commands and parameters received via HTTP POST requests and executes corresponding Fusion 360 API calls. There is no usage of `eval` or direct arbitrary code execution. The primary security risk would be if another process on the local machine could send malicious HTTP requests to `localhost:8080` to manipulate Fusion 360, but the scope of actions is limited to predefined CAD operations. Input validation for parameters is split between the MCP server (absolute validation) and Fusion server (proportional validation, handled by Fusion's API). Overall, given its local-only operation and limited command set, it is reasonably secure.