mcpflow/ZbigniewTomanek_my-mcp-server
criticalMirror of https://github.com/ZbigniewTomanek/my-mcp-server
This MCP server provides file system and command execution tools for LLM clients like Claude Desktop. It enables shell command execution, file viewing...
34def execute_shell_command(
35 command: list[str],
36 timeout: int = 60,
37 working_dir: str = None
38) -> dict:
39 """Execute a shell command and return comprehensive results."""
40 try:
41 result = subprocess.run(
42 command,
43 stdout=subprocess.PIPE,
44 stderr=subprocess.PIPE,
45 timeout=timeout,
46 cwd=working_dir,
47 text=True
48 )// Local-only MCP, requires compromised LLM to exploit
The execute_shell_command tool accepts an arbitrary list of strings as a command and executes it via subprocess.run with no restrictions on what commands can be run. The description claims it prevents shell injection by using a list, but it does not restrict the command to a safe subset. Any command can be executed, including those that read sensitive files, modify system state, or exfiltrate data.
ImpactA compromised LLM could execute arbitrary shell commands on the host system, leading to full system compromise, data exfiltration, or persistent access.
FixRestrict allowed commands to a whitelist, or remove this tool if not essential. If needed, implement strict validation of the command and arguments.
94def show_file(
95 file_path: Path,
96 start_line: int = 1,
97 num_lines: Optional[int] = None
98) -> dict:
99 """Display content of a file with optional line range specification."""
100 if not file_path.exists():
101 return {
102 "success": False,
103 "error": f"File {file_path} does not exist",
104 "content": "",
105 "lines_shown": 0,
106 "total_lines": 0
107 }
108
109 try:
110 # Ensure start_line is at least 1 (1-based indexing)
111 start_line = max(1, start_line)
112
113 # Read all lines from the file
114 all_lines = file_path.read_text().splitlines()// Local-only MCP, requires compromised LLM to exploit
The show_file tool accepts an arbitrary file path with no validation or restriction. It reads and returns the contents of any file on the filesystem that the process has access to. This allows reading sensitive files such as /etc/passwd, SSH keys, or application secrets.
ImpactA compromised LLM could read any file on the system, leading to credential exposure, secret leakage, or information disclosure.
FixRestrict file access to a specific allowed directory (e.g., a workspace folder) and validate that the resolved path stays within that directory.
177def search_in_file(
178 file_path: Path,
179 pattern: str,
180 case_sensitive: bool = True,
181 max_matches: int = 100
182) -> dict:
183 """Search for regex patterns in a file and return matching lines with line numbers."""
184 if not file_path.exists():
185 return {
186 "success": False,
187 "error": f"File {file_path} does not exist",
188 "matches": [],
189 "match_count": 0
190 }
191
192 try:
193 # Compile the regex pattern
194 flags = 0 if case_sensitive else re.IGNORECASE
195 regex = re.compile(pattern, flags)
196
197 # Read the file and search for matches
198 matches = []
199 with open(file_path, 'r') as f:// Local-only MCP, requires compromised LLM to exploit
The search_in_file tool accepts an arbitrary file path with no validation. It reads the file and returns lines matching a regex pattern, enabling an attacker to search for sensitive patterns (e.g., passwords, API keys) in any file on the system.
ImpactA compromised LLM could search for sensitive data in any readable file, leading to credential exposure or secret leakage.
FixRestrict file access to a specific allowed directory and validate that the path stays within that directory.
250def edit_file(
251 file_path: Path,
252 replacements: Optional[Dict[str, str]] = None,
253 line_operations: Optional[List[Dict[str, Any]]] = None,
254 create_if_missing: bool = False
255) -> dict:
256 """Edit a file with advanced options for string replacements and line operations."""
257 if not file_path.exists():
258 if create_if_missing:
259 file_path.parent.mkdir(parents=True, exist_ok=True)
260 file_path.write_text("")
261 else:
262 return {
263 "success": False,
264 "error": f"File {file_path} does not exist",
265 "replacements_made": {},
266 "line_operations_performed": []
267 }
268
269 try:
270 # Read the original file content
271 original_content = file_path.read_text()
272 content = original_content// Local-only MCP, requires compromised LLM to exploit
The edit_file tool accepts an arbitrary file path with no validation. It can modify or create files anywhere on the filesystem. The create_if_missing parameter allows creating new files in arbitrary locations, including overwriting critical system files or planting malicious scripts.
ImpactA compromised LLM could write or modify any file on the system, leading to arbitrary code execution, privilege escalation, or persistent backdoors.
FixRestrict file access to a specific allowed directory and validate that the resolved path stays within that directory. Remove or disable create_if_missing if not needed.
426def write_file(file_path: Path, content: str, mode: str = "w") -> dict:
427 """Write content to a file."""
428 try:
429 with open(file_path, mode) as f:
430 f.write(content)
431 return {"success": True}
432 except Exception as e:
433 return {"success": False, "error": str(e)}// Local-only MCP, requires compromised LLM to exploit
The write_file tool accepts an arbitrary file path with no validation. It can write or append content to any file on the filesystem, allowing creation of malicious files or modification of existing ones.
ImpactA compromised LLM could write arbitrary content to any file, leading to arbitrary code execution, privilege escalation, or data corruption.
FixRestrict file access to a specific allowed directory and validate that the resolved path stays within that directory. Consider removing the append mode if not needed.
448def fetch_page(url: str) -> str:
449 """
450 Fetch a web page by converting it to PDF and then extracting text.
451 Utilizes a temporary file and suppresses any stdout produced by the PDF converter.
452 """
453 # Create a named temporary file and immediately close it so Chromium can write to it.
454 with tempfile.NamedTemporaryFile(prefix="page", suffix=".pdf", delete=False) as tmp_pdf:
455 temp_pdf_path = tmp_pdf.name
456
457 try:
458 # Build the command for Chromium to convert the page to PDF.
459 command = [
460 "chromium",
461 "--headless",
462 "--disable-gpu",
463 f"--print-to-pdf={temp_pdf_path}",
464 url
465 ]
466 result = subprocess.run(
467 command,
468 stdout=subprocess.PIPE,
469 stderr=subprocess.PIPE,
470 text=True
471 )// Local-only MCP, requires compromised LLM to exploit
The fetch_page tool accepts an arbitrary URL with no validation or restrictions. It uses Chromium to fetch the URL and convert it to PDF. This can be used to access internal network resources (SSRF), including cloud metadata endpoints, internal services, or localhost resources.
ImpactA compromised LLM could use this tool to perform server-side request forgery (SSRF), accessing internal services, cloud metadata, or other restricted resources.
FixRestrict allowed URLs to a whitelist of trusted domains, or block access to private IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).