claude-mcp-server

- **Critical: Command Injection Vulnerability**: The `agent-provisioner.ts` service's `generateBootstrapScript` concatenates `additionalTools` directly into a shell script without proper escaping, leading to a command injection vulnerability during agent provisioning. - **High: API Key Exposure**: The `/lina/key` endpoint exposes the master API key and relies solely on path obscurity for security, making it vulnerable to discovery. - **High: Privilege Escalation Risk**: Multiple powerful MCP tools (e.g., `create_agent`, `delete_agent`, `create_agent_token`) are exposed via the `/mcp` endpoint. The `handleToolCall` in `mcp.ts` does not consistently and explicitly verify master token or granular permissions, potentially allowing non-master agents to execute privileged actions. The `api-agents.ts` route for agent creation has checks, but the MCP tool handler might bypass them. - **Medium: Default Credentials**: In development mode, default API keys and encryption keys are used. While `requireEnv` is used for production, these defaults pose a significant risk if deployed incorrectly. - **Medium: `su` Command Usage**: Services like `agent-manager.ts` and `agent-provisioner.ts` heavily rely on `su` to execute commands as specific Unix users, requiring root privileges for the server. Any flaw in command construction or user input sanitization could lead to full system compromise.