pabal-web-mcp

CRITICAL: Path Traversal Vulnerability. The `slug` and `appSlug` parameters used in tools (e.g., `init-project`, `aso-to-public`, `public-to-aso`, `improve-public`, `validate-aso`, `keyword-research`, `create-blog-html`) are directly concatenated into file paths using `path.join`. These parameters are user-provided strings (after `trim()`) and are not sanitized to prevent path traversal sequences (e.g., `../../`). A malicious user could potentially read, write, or overwrite arbitrary files on the system by providing a crafted `slug` or `appSlug`. MODERATE: External Image Downloads. The `downloadImage` function in `public-to-aso` fetches images from external URLs. While the URLs originate from the `config.json` (assumed trusted), if `config.json` could be manipulated by a malicious actor, it could lead to Server-Side Request Forgery (SSRF) or downloading of malicious content. No obvious hardcoded credentials were found, as the server defers credential management to `pabal-mcp`'s configuration.