multi-agent-mcp

The core `DelegationMCPServer` (when run as `delegation-mcp`) is designed as a routing guidance layer and explicitly states 'No Code Execution' for user tasks. It only suggests commands to the client. It uses `subprocess` for agent discovery (`which`, `--version` checks), which is low-risk. The `OrchestratorRegistry.execute` method, used by other components like `DelegationEngine` and `WorkflowEngine` (e.g., via `delegation-workflow` CLI), *does* execute external commands. This method constructs `subprocess.create_subprocess_exec` commands using a list of arguments, which is generally safer against shell injection than a single string. It also sanitizes the environment passed to subprocesses using an allowlist approach. The `WorkflowContext.interpolate` method includes a warning about handling escaping for interpolated strings passed to shell commands, indicating a potential point of concern if the external CLIs themselves have argument parsing vulnerabilities or if workflow inputs are untrusted. No direct shell injection vulnerabilities were found within the project's subprocess calls, but reliance on external CLIs means their security model is inherited.