BACK TO SEARCH
mbeps/excel-mcpcritical
MCP server allowing LLMs to be able to work with spreadsheets and carry out advanced tasks
This MCP server enables LLMs to read, write, and manipulate Excel and CSV files programmatically. It provides 69 structured tools for workbook operati...
purpose: This MCP server enables LLMs to read, write, and mthreat: local with credentials
RISK SCORE
0/ 100 risk
high findings+75
medium findings+30
capped at100
Indicators — descriptive signals, not vulnerabilities
dynamic-importsrc/mcp_server/main.py:50
These are automated indicators of code characteristics detected by regex pattern matching. They are informational, not security verdicts. Some patterns (e.g. telegram, crypto-wallet) may reflect legitimate functionality.
VULNERABILITY ANALYSIS · 5 findings in 5 blocks3 HIGH · 2 MEDIUM
HIGH1 finding
src/mcp_server/routes/custom_code.py:1
1Tool 'execute_custom_code' is registered in routes/custom_code.py. It accepts a 'code' parameter and executes it in a sandboxed environment with AST validation.src/mcp_server/main.py:102→src/mcp_server/routes/custom_code.py
// Local-only MCP, requires compromised LLM to exploit
EXPLAINThe tool execute_custom_code accepts arbitrary Python code from the LLM and executes it. Although it claims AST validation, the sandbox may be bypassed, allowing arbitrary code execution on the server.
IMPACTAn attacker controlling the LLM prompt could execute arbitrary Python code, read/write files, exfiltrate data, or compromise the host.
FIXRemove the execute_custom_code tool or restrict it to a whitelist of safe operations. Use a proper sandbox like subprocess with restricted permissions or a container.
HIGH1 finding
src/mcp_server/routes/file_transfer.py:1
1Tools 'http_download' and 'http_upload' are registered in routes/file_transfer.py. They accept a URL parameter and perform HTTP requests.src/mcp_server/main.py:103→src/mcp_server/routes/file_transfer.py
// Local-only MCP, requires compromised LLM to exploit
EXPLAINThe tools http_download and http_upload accept arbitrary URLs from the LLM and perform HTTP requests without validation. This can be used for SSRF, accessing internal services, or downloading/uploading files to arbitrary hosts.
IMPACTAn attacker could use the server as a proxy to scan internal networks, access cloud metadata endpoints, or exfiltrate data to external servers.
FIXRestrict URLs to a whitelist of allowed domains or use a blocklist for internal IP ranges. Validate that the URL scheme is https and the host is not private.
HIGH1 finding
src/mcp_server/tools/workbook.py:1
1Multiple tools accept a 'file_path' parameter (e.g., create_workbook, get_workbook_metadata, etc.) and pass it directly to openpyxl or file operations without sanitization.src/mcp_server/main.py:61→src/mcp_server/tools/workbook.py
// Local-only MCP, requires compromised LLM to exploit
EXPLAINThe file_path parameter is used directly in file operations. An attacker could use '../' sequences to read or write files outside the intended workbook directory, such as /etc/passwd or SSH keys.
IMPACTArbitrary file read and write on the server, potentially leading to credential theft or system compromise.
FIXValidate that file_path is within an allowed base directory. Use os.path.abspath and ensure it starts with the allowed prefix. Reject paths containing '..' or symbolic links.
MEDIUM1 finding
src/mcp_server/tools/protection.py:1
1Tools protect_sheet, unprotect_sheet, protect_workbook, unprotect_workbook accept a password parameter and can remove protection without verifying the original password.src/mcp_server/main.py:112→src/mcp_server/tools/protection.py
// Local-only MCP, requires compromised LLM to exploit
EXPLAINThe unprotect tools do not require the original password to remove protection. This allows an attacker to bypass any password protection set on sheets or workbooks.
IMPACTAn attacker could remove protection from password-protected sheets/workbooks, gaining unauthorized access to protected content.
FIXRequire the original password to unprotect. Store passwords securely or use a challenge-response mechanism.
MEDIUM1 finding
src/mcp_server/tools/formulas.py:1
1Tools like set_formula and set_formulas_batch accept sheet_name and formula strings that are passed directly to openpyxl without escaping.src/mcp_server/main.py:91→src/mcp_server/routes/formulas.py→src/mcp_server/tools/formulas.py
// Local-only MCP, requires compromised LLM to exploit
EXPLAINSheet names or formula strings containing special characters could break the formula or be used to inject arbitrary Excel formulas, potentially leading to information disclosure via external links or DDE.
IMPACTAn attacker could craft formulas that exfiltrate data via external connections or execute arbitrary commands via DDE.
FIXValidate sheet names against a regex (alphanumeric and underscores). Escape or reject special characters in formula inputs.
◷ 5/30/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.