mcp

CRITICAL: The `src/installer/npm-installer.ts` module directly uses `child_process.exec` to run `npm install ${serverId}` where `serverId` is derived from external registry search results (`bestMatch.id` or `bestMatch.npmPackage`). If a malicious actor can register a server with an `id` or `npmPackage` containing shell command injection (e.g., `malicious-package && rm -rf /`), it would lead to **Remote Code Execution (RCE)** on the host machine. This is a severe supply chain attack vector, as the server automatically discovers and installs packages from external sources. HIGH: The `src/auth/credential-store.ts` module uses hardcoded, insecure default values for `ENCRYPTION_KEY` and `JWT_SECRET` if these environment variables are not explicitly set. This makes stored credentials trivially decryptable and JWTs easily forgeable in production environments if not configured correctly. While the `SECURITY.md` warns about this, the default fallback in code remains a high risk. MEDIUM: The system implicitly trusts external registries (mcp.run API, GitHub search, other official registries) for discovering new MCP servers. A compromised registry could serve malicious package metadata, leading to the installation of compromised tools.