inspector

1. Server-Side Request Forgery (SSRF) via `devWidgetUrl`: The `/inspector/api/dev-widget/:toolId` endpoint fetches content from `widgetData.devWidgetUrl`. The `storeWidgetData` function (in `src/server/shared-utils.ts`) does not appear to validate or sanitize `devWidgetUrl` or `devServerBaseUrl` from the request body before storing and later using them. A malicious client could potentially supply an arbitrary URL, coercing the server to make requests to internal network resources, leading to information disclosure or unauthorized actions. This is a critical vulnerability. 2. Content Security Policy (CSP) with `unsafe-inline`: The `generateWidgetContentHtml` function dynamically constructs a CSP for rendering widgets, which includes `default-src 'self' 'unsafe-inline'` when `widgetCSP` metadata is present. `unsafe-inline` allows the execution of inline scripts and styles, posing a potential Cross-Site Scripting (XSS) risk if an attacker can inject malicious content into widget HTML. 3. Client-side exposure of LLM API keys: For client-side LLM-based chat and AI-powered sampling approval, API keys (e.g., OpenAI, Anthropic, Google) are stored in the user's browser `localStorage`. This means keys are accessible to any client-side script and are not protected by server-side mechanisms. This is a user security consideration.