mcp-supervisor

The server includes several critical security risks: 1) The Docker Compose setup mounts `/var/run/docker.sock` into the supervisor container, granting it full root access to the host's Docker daemon. A compromise of the supervisor could lead to host system compromise. 2) When `ALLOW_AUTONOMY` is set to `true`, agents are permitted to perform file modifications, network requests, and system commands. While `manifest.json` defines allowed directories and blocked commands, and `monitor.js` includes path validation, agents like `backup-manager` and `health-checker` utilize `child_process.exec` (promisified as `execPromise`). Passing user-controlled input to these shell commands, even if paths are resolved, can be vulnerable to command injection if arguments are not rigorously escaped or sanitized for shell metacharacters. 3) The `api-caller` agent can make requests to arbitrary URLs when `ALLOW_AUTONOMY` is enabled, posing a risk for SSRF or other network-based attacks.