MCPbundler

The MCP Bundler itself is open-source and appears to have undergone a hygiene process to remove licensing/wallet gating and secrets. However, its core functionality involves running user-defined local STDIO servers, which means it will execute arbitrary commands specified by the user in the `execPath` and `args` fields. This introduces a significant risk of arbitrary code execution if misconfigured or if untrusted server definitions are imported. The `fetch_temp_file` tool is validated to limit file access to `/tmp` or `/var/folders` and enforce size limits, mitigating some local file access risks. OAuth flows and marketplace integrations involve network requests to external services, which are standard but rely on the security of those external endpoints. The hardcoded client origin `https://mcp-bundler.maketry.xyz` is a minor concern, as a compromise of this domain could potentially enable phishing or MITM attacks against the application's own communication. Users must exercise caution when configuring and importing server definitions.