MCP_NODE

The gateway's `stdio-client` can execute arbitrary commands (`npx`, `command`, `args`) configured via the `MCP_SERVERS` environment variable. While `MCP_SERVERS` is intended for administrative configuration, any compromise of the environment or application could lead to arbitrary code execution on the host where the gateway runs. The `filesystem` MCP server, if configured, explicitly requires 'Full Disk Access' on macOS, exposing a broad attack surface. The gateway does not perform input validation on tool arguments against the tool's schema, relying entirely on individual MCP servers for this, which could be a vulnerability if an MCP server is misconfigured or a malicious prompt bypasses Bedrock's guardrails. No hardcoded secrets were found in the code, and AWS credentials are handled via IAM roles or Secrets Manager, which are good practices for secure credential management.