vulnerable-notes-mcp

This server is intentionally designed with numerous critical security vulnerabilities, as explicitly stated in its README. Key risks include: - **Hardcoded Secrets (SAFE-T1601):** API keys (OpenAI, AWS, Stripe) are directly embedded in `src/tools/export.ts`. - **Overly Broad OAuth Scopes (SAFE-T1602):** OAuth configurations in `src/tools/export.ts` request excessive permissions (e.g., full Google Drive, Gmail modify, full repo access for GitHub). - **Path Traversal & Unvalidated File Operations (SAFE-T1101, SAFE-T1201):** Functions like `readFile`, `writeFile`, `listFiles` in `src/utils/helpers.ts` and file writes in `src/tools/export.ts` (e.g., `writeToSharedLocation`) lack path sanitization, allowing arbitrary file system access and writes outside intended directories. Filenames are also not sanitized, leading to further path traversal. - **Direct Prompt Injection (SAFE-T1301):** User-provided `customPrompt` in `notes_summarize` (`src/tools/notes.ts`) is directly concatenated into the LLM prompt without sanitization. - **Hidden Instructions & Schema Poisoning (SAFE-T1001, SAFE-T1002, SAFE-T1402):** Zero-width characters and malicious instructions are embedded in tool descriptions and input schemas in `src/tools/search.ts`, designed to manipulate agent behavior. - **Unauthorized Execution (SAFE-T1701):** `notes_delete` and `notes_cleanup` in `src/tools/notes.ts` perform sensitive and destructive file operations without confirmation. - **Sensitive Data Leakage (SAFE-T1801, SAFE-T1802):** Error messages (`src/tools/notes.ts`, `src/utils/helpers.ts`) and debug logs (`src/index.ts`) expose full file paths, working directories, system information, environment variable keys, and even memory usage. Backups also include hardcoded credentials (`src/tools/export.ts`). - **Configuration Poisoning (SAFE-T1401):** The server loads configuration from unvalidated environment variables, local files, and remote URLs, allowing attackers to inject dangerous settings like `ALLOW_SYSTEM_COMMANDS` or `WEBHOOK_URL`. - **Supply Chain Vulnerabilities (SAFE-T1501):** Dependencies are pinned to `latest` without integrity hashes in `src/config/settings.ts`, enabling potential 'tool rug pull' or supply chain attacks. - **System Instruction Bypass (SAFE-T1302):** The primary system prompt can be fully overridden via the `OVERRIDE_SYSTEM_PROMPT` environment variable (`src/index.ts`). - **Multimodal Prompt Injection (SAFE-T1303):** Image URLs are processed without validation in `src/index.ts`, trusting embedded instructions. - **Cross-Agent Resource Access (SAFE-T1102):** Shared state mechanisms (`getSharedState`, `setSharedState`, `deleteSharedState`, `broadcastToAgents` in `src/utils/helpers.ts`) lack authentication or authorization, allowing any agent to read/write/delete other agents' data and receive sensitive broadcasts.