skilljack-mcp

The server implements strong defenses against common file-related vulnerabilities: - Path traversal is prevented using `fs.realpathSync` and `path.resolve` to ensure all file accesses remain within the configured skill directories. - Symlinks are explicitly checked and rejected (`stat.isSymbolicLink()`) to prevent escape attacks. - File reads are limited by `MAX_FILE_SIZE` (default 1MB, configurable via `MAX_FILE_SIZE_MB` environment variable) to mitigate denial-of-service or memory exhaustion risks. - Directory recursion depth is limited (`MAX_DIRECTORY_DEPTH` = 10) to prevent deep traversal attacks. - Input validation for tool arguments is performed using Zod schemas. The server operates via `StdioServerTransport`, limiting direct external network exposure. Skills themselves are treated as trusted content; the primary risk would be if malicious content were *placed within* a trusted skill directory by an attacker with local access. Overall, well-secured for its intended purpose.