mcpflow/YiyangLi_sms-mcp-server
highMirror of https://github.com/YiyangLi/sms-mcp-server
MCP server (purpose undetermined)
8const requiredEnvVars = ["ACCOUNT_SID", "AUTH_TOKEN", "FROM_NUMBER"];
9for (const envVar of requiredEnvVars) {
10 if (!process.env[envVar]) {
11 console.error(`Error: ${envVar} environment variable is required`);
12 process.exit(1);
13 }
14}
15
16// Initialize Twilio client
17const client = twilio(process.env.ACCOUNT_SID, process.env.AUTH_TOKEN);// Exploitable if the MCP server's environment is compromised (e.g., via other vulnerabilities or misconfiguration).
The server reads Twilio Account SID, Auth Token, and From Number from environment variables. These credentials are sensitive and if the environment is compromised, an attacker could send arbitrary SMS messages at the account's expense.
ImpactAn attacker with access to the environment could use the Twilio credentials to send SMS messages, incurring costs and potentially enabling phishing or spam campaigns.
FixUse a secrets manager or encrypted configuration. Ensure environment variables are not exposed in logs or error messages. Consider restricting the MCP server's network exposure.
25server.prompt(
26 "send-greeting",
27 {
28 to: z.string().describe("Recipient's phone number in E.164 format (e.g., +11234567890)"),
29 occasion: z.string().describe("The occasion for the greeting (e.g., birthday, holiday)")
30 },
31 ({ to, occasion }) => ({
32 messages: [{
33 role: "user",
34 content: {
35 type: "text",
36 text: `Please write a warm, personalized greeting for ${occasion} and send it as a text message to ${to}. Make it engaging and friendly.`
37 }
38 }]
39 })
40);// Exploitable if the MCP server is exposed to untrusted prompts (e.g., via network exposure or compromised LLM).
The prompt templates directly interpolate user-supplied parameters (occasion, theme, to) into the prompt text without sanitization. An attacker could inject malicious instructions to manipulate the LLM's behavior, potentially causing it to send arbitrary messages or disclose information.
ImpactAn attacker could craft inputs that cause the LLM to ignore its instructions, send messages to unintended numbers, or perform actions beyond the intended scope.
FixUse parameterized prompts or sanitize/validate user inputs. Consider using a separate system prompt that constrains the LLM's behavior and does not allow overriding instructions.
70async ({ to, message }) => {
71 try {
72 // Validate phone number format
73 if (!to.startsWith("+")) {
74 return {
75 content: [{
76 type: "text",
77 text: "Error: Phone number must be in E.164 format (e.g., +11234567890)"
78 }],
79 isError: true
80 };
81 }
82
83 // Send message via Twilio
84 const response = await client.messages.create({
85 body: message,
86 from: process.env.FROM_NUMBER,
87 to: to
88 });// Exploitable if the MCP server is exposed to untrusted inputs or if the LLM is compromised.
The only validation on the 'to' parameter is that it starts with '+'. There is no check for valid digits, length, or proper E.164 format. This could allow sending messages to malformed or unintended numbers, potentially causing errors or unexpected charges.
ImpactAn attacker could provide a phone number that passes the simple check but is invalid or unintended, leading to failed delivery or billing issues. More critically, if the LLM is compromised, it could send messages to arbitrary numbers.
FixImplement proper E.164 validation using a library (e.g., libphonenumber) to ensure the phone number is valid and properly formatted.