mcp-linux-tools

The server runs as root, granting high privileges. While most functions employ strict whitelisting (directories, services, WordPress sites) and input sanitization (`shlex.split`, regex validation), certain tools inherently carry elevated risks. The `cron_add` tool allows direct insertion of a command string into the root crontab, which, if containing shell metacharacters, could lead to shell injection when cron executes the job. The `execute_shell_command` is explicitly designed for arbitrary shell command execution (though `shlex.split` mitigates *unintended* shell injection) and runs as root by default, allowing potentially destructive commands. The `mysql_query` tool blocks major destructive SQL commands but permits `UPDATE` queries, which could lead to data corruption. Strong systemd service hardening (`NoNewPrivileges`, `ProtectSystem`, `ProtectHome`, `PrivateTmp`, `ReadWritePaths`) and Python sandbox restrictions (PATH, no network) provide good host-level and runtime isolation. The documentation clearly flags dangerous tools with explicit warnings for LLMs.