vite-mcp

The plugin is designed for development environments, which influences its security posture. The MCP server endpoint `/__mcp` has `Access-Control-Allow-Origin: *`, which is typical for development servers but could be a risk if the server is accidentally exposed publicly without proper network restrictions or authentication. Adapters execute code within the browser context, which is the intended functionality. Input/output validation is enforced using Zod schemas, which is a strong positive. The serialization of adapter `handler` functions using `toString()` and subsequent (re)evaluation in the browser bridge, while used internally and for developer-provided functions, could be brittle or a vector for injection if not handled carefully, though no direct exploitable flaw is immediately apparent given the typical use case where the developer controls the plugin configuration.