bradhave94/remote-mcp-server-authless
highNo description
MCP server (purpose undetermined)
394this.server.tool(
395 "debug_env",
396 {},
397 async () => {
398 try {
399 const env = this.env as Env;
400 const hubspotPat = env.HUBSPOT_PAT;
401 const envKeys = Object.keys(env);
402 return {
403 content: [{
404 type: "text",
405 text: `🔍 **Environment Debug Info:**\n` +
406 `- Environment available: ✅ Yes\n` +
407 `- HUBSPOT_PAT present: ${hubspotPat ? '✅ Yes' : '❌ No'}\n` +
408 `- HUBSPOT_PAT value: ${hubspotPat ? '[HIDDEN - Present]' : '[NOT SET]'}\n` +
409 `- Available env keys: ${envKeys.length > 0 ? envKeys.join(', ') : 'None'}\n` +
410 `- Environment type: ${typeof env}`
411 }],
412 };
413 } catch (error) { ... }// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or via compromised LLM (local_only).
The debug_env tool reveals the presence of the HUBSPOT_PAT environment variable and lists all environment keys. While the actual PAT value is hidden, the tool confirms its existence and exposes the names of all environment variables, which can aid an attacker in targeting credential-related variables.
ImpactAn attacker who can invoke this tool (e.g., via prompt injection) learns that HUBSPOT_PAT is set and can see all environment variable names, facilitating targeted attacks to extract credentials through other means.
FixRemove the debug_env tool entirely or restrict it to authenticated users. Never expose environment variable names or presence indicators.
460this.server.tool(
461 "get_brand",
462 {
463 brand: z.string().describe("The brand name to get data for")
464 },
465 async ({ brand }) => {
466 try {
467 const webhookUrl = "https://lean-labs.app.n8n.cloud/webhook/440927fa-cc27-43f6-a4ec-b010f9edf58e";
468 const response = await fetch(webhookUrl, {
469 method: 'POST',
470 headers: { 'Content-Type': 'application/json' },
471 body: JSON.stringify({ brand: brand }),
472 });// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or via compromised LLM (local_only).
The get_brand tool sends user-supplied brand data to a hardcoded external webhook URL. An attacker can control the brand parameter, which is included in the request body. This could be used to send arbitrary data to the external service, potentially exfiltrating sensitive information or triggering unintended actions on the n8n workflow.
ImpactAn attacker could exfiltrate data from the environment or trigger actions in the external n8n workflow by controlling the brand parameter. The webhook URL is fixed, but the data sent is attacker-controlled.
FixValidate and sanitize the brand input. Consider not sending user-controlled data to external services, or restrict the tool to authorized users only.
325this.server.tool(
326 "add_to_hubdb",
327 {
328 text: z.string().describe("The text content to add to the HubDB table"),
329 title: z.string().optional().describe("Optional title for the entry")
330 },
331 async ({ text, title }) => {
332 try {
333 const env = this.env as Env;
334 const hubspotPat = env.HUBSPOT_PAT;
335 if (!hubspotPat) { ... }
336 const tableId = "121470811";
337 const apiUrl = `https://api.hubapi.com/cms/v3/hubdb/tables/${tableId}/rows`;
338 const rowData = { values: { content: text } };
339 const response = await fetch(apiUrl, {
340 method: 'POST',
341 headers: {
342 'Authorization': `Bearer ${hubspotPat}`,
343 'Content-Type': 'application/json',
344 },
345 body: JSON.stringify(rowData),
346 });// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or via compromised LLM (local_only).
The add_to_hubdb tool uses a hardcoded HubSpot PAT from environment variables to write to a HubDB table. There is no authentication or authorization check on who can invoke this tool. Any user or LLM that can call this tool can write arbitrary content to the HubDB table, potentially abusing the HubSpot integration.
ImpactAn attacker could write arbitrary data to the HubDB table, potentially corrupting data, injecting malicious content, or using the tool as a vector for further attacks on HubSpot.
FixAdd authentication/authorization checks before allowing use of this tool. Consider requiring user confirmation or limiting the tool to specific roles.