atlantis-mcp-server

The server binds to localhost (127.0.0.1) by default, minimizing direct external attack surface. External access occurs via an outbound Socket.IO connection to a trusted Atlantis cloud server. Internal functions (`_function*`, `_server*`, `_admin*`) are restricted to the owner. Localhost connections are treated as the owner for convenience, granting them full privileges. CRITICAL RISK: The `_function_get` tool can return the *entire source file* of a dynamic function, not just the function itself. This exposes all code, imports, comments, and potentially hardcoded sensitive data (e.g., API keys, credentials) within that file. The `@copy` decorator allows non-owners to retrieve source code based on visibility rules (`@public` or `@protected`). The `README_SECURITY.md` explicitly warns against hardcoding secrets, recommending environment variables instead. Users must diligently follow this best practice to prevent credential exposure. The `_admin_pip_install` tool allows the owner to install arbitrary Python packages, posing a risk if the owner account is compromised. The security model relies heavily on the trust of the host machine and the Atlantis cloud server, assuming they are not compromised or spoofing parameters. Overall, while network-level defenses are strong, the dynamic code execution and source code retrieval mechanisms introduce significant risks if best practices for secrets management are not strictly followed by the user.