website-builder-mcp

The server uses `fs-extra` for file system operations (creating directories, reading/writing files). While `path.join` is used for site and page names, which helps mitigate basic path traversal for output paths, the `excelFile` argument in `build_from_excel` takes an arbitrary path. If the server runs with broad file system permissions, a malicious input for `excelFile` could potentially read sensitive files (e.g., `../../../../etc/passwd`). Additionally, the server uses `Mustache.render` with triple curly braces (`{{{content}}}`) for embedding user-provided HTML content. This means that if malicious HTML (e.g., `<script>alert('XSS')</script>`) is provided as an argument to `add_page` or embedded within Excel data, it will be directly injected into the generated HTML files. While this doesn't directly compromise the MCP server's execution, it enables the generation of websites vulnerable to Cross-Site Scripting (XSS), which then poses a risk to end-users browsing the generated sites. Users should ensure inputs (especially `excelFile` paths and HTML content) come from trusted sources.