super-productivity-mcp-server

The server operates locally, reading a designated SuperProductivity sync file via a path provided by an environment variable. Communication with Claude Code is via standard input/output (stdio), not over a network, significantly reducing the attack surface. There are no explicit uses of dangerous functions like 'eval', no hardcoded secrets, and Pydantic models are used for structured data parsing. The `model_config = {"extra": "allow"}` in Pydantic models is for parsing existing data and does not introduce direct security vulnerabilities in this read-only context. The primary theoretical risk would be if a local attacker could manipulate the `SP_META_PATH` environment variable to point to a maliciously crafted file on the local filesystem, potentially leading to a denial of service through malformed JSON. However, this requires pre-existing local system access.