magick-mcp

The server uses `std::process::Command` to invoke ImageMagick, passing arguments as a string slice after splitting by whitespace, which helps prevent basic shell injection for direct ImageMagick commands. Environment variables are explicitly cleared before execution, with only the `PATH` variable preserved, enhancing security against malicious environment injection. However, a **CRITICAL VULNERABILITY** exists in the function management tools (`func_save`, `func_load`, `func_delete`). The `name` parameter, which is user-controlled (e.g., from an MCP client/agent), is directly incorporated into file paths using `PathBuf::join` (e.g., `functions_dir().join(format!("{name}.json"))`). This allows for **path traversal attacks**. A malicious actor can provide a function `name` containing `../` sequences (e.g., `../../../../../../etc/passwd`) to read, write, or delete arbitrary files on the file system outside the intended function storage directory. This could lead to data exfiltration, system corruption, or privilege escalation if the server is run with elevated permissions.