lite-mcp

This server exhibits critical security vulnerabilities. Dynamic code execution (RCE) is present in `src/tools/external/external_mcp_server.py` via `exec` on data derived from external MCP tools, and explicitly in `web/services/system-tools/tools/CodeExecutorTool.js` (JavaScript `new Function()`), making it highly susceptible to malicious code injection if an attacker can control external tool definitions. SQL injection is possible in `src/tools/operate_mysql/opmysql_server.py` as the `operation_mysql` tool directly executes user-provided `sql` without proper sanitization. Shell injection is possible in `src/tools/android_tools/android_server.py` and `src/tools/fastbot_server.py` due to direct execution of `adb` commands constructed with user-provided arguments (e.g., `device_id`, `package_name`). The `_run_adb_command` function uses `subprocess.run` with raw user input in `cmd`. Database credentials are passed via HTTP headers in `opmysql_server.py`, which is insecure if not over HTTPS. The proxy server (`src/core/proxy_server.py`) has potential for Server-Side Request Forgery (SSRF) if `base_url` for target services can be manipulated. Running this server in any environment, especially with network exposure, poses severe risks including full system compromise.