onemcp

1. Arbitrary Command Execution from Configuration: The `mcpServers` configuration allows defining external MCP servers via a `command` field, which is executed via `os/exec.Command`. If the `.onemcp.json` configuration file can be modified by an unauthorized entity, it presents a critical arbitrary command execution vulnerability. 2. Dangerous LLM CLI Flags: The `internal/llmsearch` package invokes external LLM CLIs (`claude`, `codex`) with explicitly 'dangerous' flags: `--dangerously-skip-permissions` (for `claude`) and `--dangerously-bypass-approvals-and-sandbox` (for `codex`). These flags disable important security safeguards of the underlying CLIs, increasing the risk of command injection, privilege escalation, or unintended side effects if the LLM output or prompts are not perfectly contained/sanitized. 3. External Dependency Risk: Reliance on external `claude`, `codex`, `copilot` CLIs introduces a dependency chain risk. Vulnerabilities in these external tools, or unexpected behavior from their LLM responses, could be amplified by the 'dangerous' flags. 4. No obvious hardcoded secrets or direct `eval` usage was found.