pabal-mcp

The server runs 100% locally and handles credentials and cached ASO data on the user's machine, reducing external attack surfaces. Sensitive configurations (API keys, service account JSON) are loaded from a user-defined path (`~/.config/pabal-mcp/config.json`) with recommendations for strict file permissions (`chmod 700` for directory, `chmod 600` for files). Logging explicitly redacts sensitive parameters. It leverages official SDKs (`appstore-connect-sdk`, `googleapis`) for store interactions. The `downloadImage` function in `aso-pull` performs external network requests, but these are typically for screenshot URLs originating from the trusted store APIs, and not directly user-controlled in a way that implies immediate vulnerability to arbitrary code execution or large file downloads beyond the scope of ASO data itself. No 'eval' or similar dangerous patterns were found.