atlantis-mcp-server

The server design focuses on limiting the network attack surface by binding exclusively to localhost (127.0.0.1) by default and using an outbound-only connection to a trusted cloud server for external access. Internal functions for server management (e.g., `_function_set`, `_admin_pip_install`) are restricted to the 'owner'. However, critical security considerations stem from its core functionality: 1. **Arbitrary Code Execution (Owner-only):** The `_function_set` tool allows the owner to upload and execute arbitrary Python code. The `_admin_pip_install` tool allows the owner to install arbitrary Python packages, which could introduce vulnerabilities if a malicious package is installed. 2. **Information Disclosure (Developer Error):** The `_function_get` tool returns the *entire file* containing a requested function. The documentation explicitly warns against hardcoding sensitive data (e.g., API keys, credentials) in function files, as this would expose them if the file is retrieved. Reliance on developer adherence to environment variable best practices is critical here. 3. **Local Host Compromise:** The system assumes the host machine is trusted, meaning any malicious local process can establish a localhost connection and gain 'owner' privileges, effectively bypassing access controls. 4. **Cloud Service Trust:** The server relies on the integrity and authentication mechanisms of the `projectatlantis.ai` cloud server. A compromised cloud service could spoof requests or owner identity. Overall, the architecture is robust against direct external attacks but places high trust in the owner's environment and practices, as well as the connected cloud service.