MCP-INDEX
[ ⌘K ]
BACK TO SEARCH
tharuneshwar-s/mcp-spacecritical

MCP Space is a no-code platform for building and deploying AI tools using the Model Context Protocol (MCP). Create powerful AI agents through an intuitive chat interface without writing code, then deploy with one click to Cloudflare Workers. Combines a Next.js frontend with Google ADK backend for a seamless AI development experience.

MCP Space is a no-code platform that allows users to build and deploy AI tools using the Model Context Protocol (MCP). It provides an AI-assisted chat...

purpose: MCP Space is a no-code platform that allows users threat: network exposed
TypeScript · 11 · May 21, 2026 · May 21, 2026 · GITHUB ↗
RISK SCORE
0/ 100 risk
high findings+75
medium findings+45
capped at100
VULNERABILITY ANALYSIS · 6 findings in 6 blocks3 HIGH · 3 MEDIUM
HIGH1 finding
google-adk/manager/sb.py:16
16username = os.getenv("DB_USERNAME")
17password = os.getenv("DB_PASSWORD")
18dbname = os.getenv("DB_NAME")
19port = int(os.getenv("DB_PORT", 6543))
20host = os.getenv("DB_HOST")
21
22db_url = f"postgresql+psycopg2://{username}:{password}@{dbname}:{port}/{host}"
google-adk/manager/sb.py:1-22

// Exploitable if MCP is exposed to untrusted prompts or if logs are accessible.

EXPLAINThe database connection URL is constructed by embedding the username and password directly into the connection string. This URL is then exported and potentially logged or exposed to other parts of the application. If the URL is logged or passed to subprocesses, credentials could be leaked.
IMPACTAn attacker who gains access to logs, error messages, or process listings could retrieve the database credentials, leading to unauthorized database access and potential data breach.
FIXUse a connection string that references environment variables without embedding them in code, or use a secrets manager. Avoid constructing URLs with credentials in source code.
HIGH1 finding
google-adk/manager/sb.py:10
10url: str = os.getenv("SUPABASE_URL")
11key: str = os.getenv("SUPABASE_KEY")
12
13supabase: Client = create_client(url, key)
google-adk/manager/sb.py:1-13

// Exploitable if MCP is exposed to untrusted prompts or if logs are accessible.

EXPLAINThe Supabase URL and key are loaded from environment variables and used to create a client. While this is standard practice, the key is stored in memory and could be exposed through error messages, logging, or if the process is compromised.
IMPACTAn attacker with access to the runtime environment or logs could obtain the Supabase API key, allowing unauthorized access to the database.
FIXEnsure that environment variables are not logged or exposed in error messages. Consider using a secrets manager or encrypted environment variables.
HIGH1 finding
google-adk/manager/supabase_tools.py:20
20genai.configure(api_key=os.getenv("GOOGLE_API_KEY"))
21
22model = genai.GenerativeModel(config.GEMINI_MODEL_1, generation_config={
23    "temperature": 0.0,
24})
google-adk/manager/supabase_tools.py:1-24

// Exploitable if MCP is exposed to untrusted prompts or if logs are accessible.

EXPLAINThe Google API key is loaded from an environment variable and used to configure the generative AI client. While not hardcoded, the key is present in memory and could be exposed through error messages or logging.
IMPACTAn attacker with access to the runtime environment or logs could obtain the Google API key, leading to unauthorized usage and potential financial cost.
FIXEnsure that the API key is not logged or exposed. Consider using a secrets manager or restricting the key's permissions.
MEDIUM1 finding
frontend/next.config.ts:10
10experimental: {
11    serverComponentsExternalPackages: ['fs', 'path', 'child_process'],
12  },
frontend/next.config.ts:1-15

// Exploitable if MCP is exposed to untrusted prompts or if an attacker can trigger server-side code execution.

EXPLAINThe Next.js configuration allows server components to use 'fs', 'path', and 'child_process' packages. This enables arbitrary file system access and command execution on the server, which is beyond the intended purpose of the platform (building and deploying MCP servers).
IMPACTAn attacker who can influence server-side code execution (e.g., through prompt injection or compromised LLM) could read/write arbitrary files or execute shell commands on the server.
FIXRemove 'child_process' and 'fs' from the external packages list unless absolutely necessary. If file system access is required, restrict it to specific directories and use safe APIs.
MEDIUM1 finding
google-adk/manager/supabase_tools.py:27
27def compare_query_json(query: str, json_data: Any) -> Dict[str, float]:
28    PROMPT = f"""
29    ...
30    Query: {query}
31    JSON: {json_data}
32    """
33    response = model.generate_content(PROMPT)
google-adk/manager/supabase_tools.py:27-83

// Exploitable if MCP is exposed to untrusted prompts.

EXPLAINThe user query is directly interpolated into a prompt sent to the Gemini model without any sanitization or validation. This could allow prompt injection attacks where a malicious user crafts a query that manipulates the LLM's behavior.
IMPACTAn attacker could inject instructions into the LLM prompt, potentially causing the model to return manipulated scores, leak information, or perform unintended actions.
FIXSanitize and validate user input before including it in prompts. Use input encoding, limit query length, and consider using a separate model call for safety classification.
MEDIUM1 finding
google-adk/manager/agent.py:82
82- If the query contains update command format:
83    * Command: Update the tool **tool name: **TOOLNAME - [update request]
84    * Or: Command: Update **tool name: **TOOLNAME - [update request]
85    * Forward to information_collector_agent to:
86        * Parse the previous Specification Summary
87        * Create an updated Specification Summary based on the update request
88        * Present the FULL updated specification to the user for confirmation
google-adk/manager/agent.py:82-90

// Exploitable if MCP is exposed to untrusted prompts.

EXPLAINThe manager agent is instructed to parse user queries for update commands and forward them to the information collector agent. This allows users to influence the specification and potentially inject malicious instructions into the code generation pipeline.
IMPACTAn attacker could craft an update command that modifies the specification to include malicious code, which would then be generated and deployed as an MCP server.
FIXImplement strict validation of update commands. Do not allow arbitrary modifications; instead, use predefined templates or allow only specific fields to be updated.
5/21/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.