UltraRAG

The server uses `ast.literal_eval` for parsing configuration values like list delimiters, which is generally safer than `eval` but still processes string input as Python literals. Subprocess execution (`subprocess.Popen`, `asyncio.create_subprocess_exec`) is used for launching MCP servers and external tools like `mineru`, which is inherent to its architecture; parameters appear to be sanitized or derived from trusted sources. Network risks include making API calls to external LLM providers (OpenAI, ZhipuAI) and web search services (Exa, Tavily), and also supports deploying a remote retriever via a configurable URL (`retriever_url`). If `retriever_url` is user-controlled in a non-isolated environment, it could pose a Server-Side Request Forgery (SSRF) risk. Hardcoded secrets are avoided by relying on environment variables (e.g., `LLM_API_KEY`, `EXA_API_KEY`). The framework's overall security depends significantly on how users configure and deploy individual MCP servers and pipelines.