mcp-server-verkada

The most critical security risk identified is the potential for Local File Inclusion (LFI) via the `updateProfilePhoto` tool. The input schema for this tool's body parameter `file` is `z.string().optional()` with a description stating "Profile photo file path (formatted @/<image-path>)". This format strongly suggests the server will attempt to read a file from the local filesystem based on user-provided input, which could allow an attacker to read arbitrary files if not robustly sanitized and validated. While Zod is used for validation, the specific handling of this `@/<image-path>` pattern in `callVerkadaAPI` is not fully visible, but the pattern itself is inherently risky. Standard Node.js `npm install` practices also present supply chain risks if dependencies are compromised. The server relies on environment variables for API keys (`VERKADA_API_KEY`), which is a good practice to avoid hardcoding secrets in source code.