starlark-mcp

The server uses Starlark, which is a sandboxed language, limiting arbitrary system access by default. The `exec` module enforces a strict `allowed_exec` whitelist, preventing extensions from running unapproved system commands. The `data.load_json` function includes explicit path traversal (`..`) checks and confines file access to the designated extensions directory. The `http`, `postgres`, and `sqlite` modules enable external interactions, which is expected functionality, but they rely on the `reqwest`, `postgres`, and `rusqlite` crates, which are generally robust. PostgreSQL password obfuscation is implemented in error messages. The server communicates primarily over stdio, limiting direct network exposure. Test files (`_test.star`) are correctly filtered out from being loaded as active tools. The primary security model relies on careful vetting of extensions and their `allowed_exec` declarations, but the framework provides strong safeguards to manage potential risks.