extension-mcp-server
by skippr-hq
Overview
Bridges product issues from a browser extension to AI coding agents, enabling automated discovery and fixing of UX, accessibility, and product quality problems.
Installation
npx -y @skippr/extension-mcp-serverEnvironment Variables
- WS_PORT
Security Notes
CRITICAL: The WebSocket server, running locally on port 4040 by default, lacks any authentication or authorization for incoming connections. Any process on the user's local machine (or network if firewalled incorrectly) can connect and send 'write_issue' messages. The `projectId` parameter in these messages is directly used to construct file paths (`~/.skippr/projects/{projectId}/reviews/...`) using `path.join`. Because `projectId` is only validated as `z.string()`, it is vulnerable to path traversal attacks (e.g., passing `/etc/passwd` or `../../../../etc/passwd` as `projectId`), which could allow a malicious client to write, read, or delete arbitrary files on the local filesystem with the permissions of the user running the server. This is a severe local file manipulation vulnerability.
Similar Servers
cclsp
Integrate LLM-based coding agents with Language Server Protocol (LSP) servers to enable robust code navigation, symbol resolution, and refactoring across various programming languages.
context-engine
Provides an agent-agnostic local context engine via Model Context Protocol (MCP) for coding agents, enabling semantic search, planning, code review, and prompt enhancement with AI integration.
mcp-cli-ent
Orchestrates Model Context Protocol (MCP) servers and their tools on-demand for AI agents, without loading tool definitions directly into the agent's context window.
doc-bot
An intelligent MCP (Model Context Protocol) server that enhances AI coding assistants by providing smart documentation management and API references for deep project understanding.