mokei

The toolkit includes example MCP servers and documentation that demonstrate patterns with significant security risks if deployed or used with untrusted inputs: - **SQL Injection**: The `@mokei/mcp-sqlite` server directly executes SQL statements provided as tool arguments (`db.prepare(req.arguments.sql)`). If tool arguments originate from an untrusted source (e.g., a malicious LLM prompt), this is a critical SQL injection vulnerability. - **Server-Side Request Forgery (SSRF)**: The `@mokei/mcp-fetch` server fetches URLs provided as tool arguments (`await fetch(req.arguments.url)`). If tool arguments are untrusted, this can be exploited for SSRF. - **Remote Code Execution (RCE) via child process spawning**: `ContextHost.addLocalContext` and `Session.addContext` allow spawning arbitrary child processes (`command`, `args`). If these parameters can be influenced by untrusted input (e.g., from an LLM generating tool calls), it can lead to RCE on the host system. - **RCE via `Function()` constructor (documentation example)**: The documentation for `Session`'s local tools includes an example `calculate` tool that uses `Function(`"use strict"; return (${expression})"`)()` to evaluate a math expression. While not directly `eval()`, the `Function` constructor still allows arbitrary code execution if the `expression` input is untrusted, posing an RCE risk on the client-side when an LLM is given control over this tool's arguments.