MyPrototypeWhat/mcp-auto-install
criticalMCP Auto Install is a tool for automatically installing and managing Model Context Protocol (MCP) servers. It can automatically detect, install, and configure various MCP servers, making it easier for developers to use the MCP ecosystem.
MCP server (purpose undetermined)
809export async function saveCommandToExternalConfig(
810 serverName: string,
811 command: string,
812 args: string[],
813 env?: Record<string, string>
814): Promise<OperationResult> {
815 try {
816 if (!command) {
817 return { success: false, message: "Command cannot be empty" };
818 }
819 const externalConfigPath = process.env.MCP_SETTINGS_PATH;
820 if (!externalConfigPath) {
821 return { success: false, message: "MCP_SETTINGS_PATH environment variable not set..." };
822 }
823 const configData = await fs.readFile(externalConfigPath, "utf-8");
824 const config = JSON.parse(configData);
825 config.mcpServers[serverName] = { command, args, env: env || {} };
826 await fs.writeFile(externalConfigPath, JSON.stringify(config, null, 2), "utf-8");// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or if LLM is compromised (local_only).
The tools saveCommandToExternalConfig and handleParseConfig write to a file path specified by the MCP_SETTINGS_PATH environment variable. An attacker controlling the LLM prompt can set this environment variable to any writable path (e.g., ~/.ssh/authorized_keys, /etc/cron.d/malicious) and write arbitrary JSON content, potentially overwriting critical system or user files.
ImpactAn attacker could overwrite sensitive files such as SSH authorized keys, cron jobs, or configuration files, leading to privilege escalation, persistent backdoor, or denial of service.
FixRestrict the write path to a safe, hardcoded directory (e.g., ~/.mcp/config). Validate that the resolved path is within an allowed directory. Avoid using an environment variable to determine the write target.
574export async function handleInstallServer(args: {
575 serverName: string;
576 useNpx?: boolean;
577}): Promise<OperationResult> {
578 const { serverName, useNpx = true } = args;
579 const server = await findServer(serverName);
580 if (!server) {
581 return { success: false, message: `Server '${serverName}' not found...` };
582 }
583 try {
584 if (useNpx) {
585 const packageName = await getPackageNameFromRepo(server.repo);
586 if (!packageName) {
587 throw new Error(`Could not determine package name for ${server.repo}`);
588 }
589 const { stdout, stderr } = await exec(`npx ${packageName}`);// Exploitable if an attacker can register a malicious server (e.g., via handleRegisterServer) or if the LLM is compromised and can call handleInstallServer.
The handleInstallServer function executes an npx command with a package name derived from a repository URL. The package name is not sanitized and could be manipulated if the server.repo field is attacker-controlled (e.g., via a malicious server entry). Additionally, the git clone path uses server.repo directly in a shell command, allowing command injection if the repo URL contains shell metacharacters.
ImpactAn attacker could execute arbitrary shell commands on the host system, leading to full compromise of the MCP host.
FixAvoid constructing shell commands with user-controlled strings. Use execFile or spawn with arguments array. Validate and sanitize repository URLs. Consider using a safe API for package installation.
897export async function handleParseConfig(args: {
898 config: string;
899}): Promise<OperationResult> {
900 try {
901 const userConfig = JSON.parse(args.config);
902 if (!userConfig.mcpServers) {
903 userConfig.mcpServers = {};
904 }
905 for (const [serverName, serverConfig] of Object.entries(userConfig.mcpServers)) {
906 const config = serverConfig as { command: string; args: string[] };
907 if (!config.command || !Array.isArray(config.args)) {
908 return { success: false, message: `Invalid configuration format...` };
909 }
910 }
911 const externalConfigPath = process.env.MCP_SETTINGS_PATH;
912 if (!externalConfigPath) { ... }// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised.
The handleParseConfig tool accepts arbitrary JSON and writes it to a file path from an environment variable. There is no validation that the server names or commands are safe. An attacker could inject arbitrary keys or values into the configuration file, potentially overwriting other settings or causing the LLM client to execute malicious commands.
ImpactAn attacker could inject malicious server configurations that execute arbitrary commands when the LLM client loads them.
FixValidate that server names match a safe pattern (e.g., alphanumeric and hyphens). Restrict the write path to a safe directory. Consider using a schema validation library.
456async function findServer(name: string): Promise<MCPServerInfo | undefined> {
457 await initSettings();
458 return serverSettings.servers.find((s) => s.name.includes(name));
459}// Exploitable if LLM is compromised and can call tools that use findServer.
The findServer function uses String.includes() to match server names. An attacker could provide a partial name that matches unintended servers. While not a direct path traversal, it could lead to information disclosure or manipulation of unintended servers.
ImpactAn attacker could retrieve or modify configuration of servers whose names contain the attacker's input substring, potentially leading to privilege escalation or data leakage.
FixUse exact matching (===) instead of includes() to prevent partial name matches.