poly-mcps

The project demonstrates a strong commitment to security through its comprehensive `SECURITY.md` file. It outlines a clear vulnerability reporting process (preferring GitHub Security Advisories or encrypted email), detailed response timelines, a coordinated disclosure policy, and a 'safe harbor' for good-faith researchers. The policy clearly defines what is in-scope and out-of-scope, and lists qualifying and non-qualifying vulnerabilities. It also provides explicit security best practices for contributors and users. Critically, the README explicitly warns about 'CLI-wrapping MCPs' (e.g., poly-k8s, poly-cloud, poly-git, poly-container) executing commands with the user's local credentials, stating that the MCP client can perform any action the user can perform with those tools. This is an inherent design characteristic, not a vulnerability, but it places a significant operational security burden on the user. Recommendations are provided to mitigate this risk (minimal-permission credentials, separate config profiles, reviewing tool calls). Without access to the specific source code of each sub-project (e.g., `poly-db-mcp`, `poly-k8s-mcp`), a deep code-level audit for patterns like 'eval', obfuscation, hardcoded secrets, or malicious patterns cannot be performed. However, the project's robust security policy and transparent disclosure of design-level security considerations are highly commendable, justifying a strong score for its overall security posture and transparency.