MCP-INDEX

gino-reinke/unity-mcp-servercritical

No description

This MCP server provides tools for Unity game development workflows, including inspecting Unity projects, reading/writing files, querying git history,...

purpose: This MCP server provides tools for Unity game devethreat: network exposed

Python · ★ 0 · May 21, 2026 · ⚙ May 22, 2026 · GITHUB ↗

heuristic signalsfilesystem.read filesystem.write env.exposure

RISK SCORE

0/ 100 risk

low findings+5

high findings+75

medium findings+60

capped at100

VULNERABILITY ANALYSIS · 8 findings in 7 blocks3 HIGH · 4 MEDIUM

HIGH1 finding

server.py:40→tools/search.py:1

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

EXPLAINThe fetch_url tool accepts an arbitrary URL and fetches its content. This can be used to perform Server-Side Request Forgery (SSRF) attacks, accessing internal services, cloud metadata endpoints, or other internal resources. The tool does not validate or restrict the URL scheme or host.

IMPACTAn attacker could use this tool to scan internal networks, access cloud metadata (e.g., AWS, GCP), or interact with internal services that are not intended to be exposed.

FIXRestrict allowed URL schemes to http/https only, and implement a blocklist for private IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Consider using a URL allowlist if possible.

HIGH2 findings

tools/filesystem.py:354

354def _safe_resolve(path_str: str) -> Path:
355    """Resolve a path and ensure it's within the allowed directory."""
356    resolved = Path(path_str).resolve()
357    try:
358        resolved.relative_to(projects_dir.resolve())
359    except ValueError:
360        raise ValueError(
361            f"Access denied: path {resolved} is outside "
362            f"the Unity projects directory {projects_dir}"
363        )
364    return resolved

MEDIUM1 finding

server.py:41→tools/memory.py:1

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

EXPLAINThe memory tools (store_memory, recall_memories, get_memory, update_memory, delete_memory, list_project_memories) allow storing and retrieving arbitrary text data associated with projects. There is no authentication or access control, so any user of the MCP can read, write, or delete memories for any project.

IMPACTAn attacker could read sensitive project memories, inject false information, or delete important project context, potentially leading to incorrect AI assistance or data loss.

FIXImplement access control based on project ownership or user authentication. Consider encrypting sensitive memory content.

MEDIUM1 finding

tools/filesystem.py:452

452@mcp.tool()
453def write_file(file_path: str, content: str) -> str:
454    """Write or overwrite a file within the Unity projects folder.
455    Creates parent directories if they don't exist.
456    Example: write_file('MyGame/Assets/Scripts/NewScript.cs', '...')"""
457    full_path = _safe_resolve(str(projects_dir / file_path))
458    full_path.parent.mkdir(parents=True, exist_ok=True)
459    full_path.write_text(content, encoding="utf-8")
460    return f"Successfully wrote{len(content)} chars to{file_path}"

server.py:38→tools/filesystem.py:452

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

EXPLAINThe write_file tool allows writing or overwriting any file within the Unity projects directory, including critical project files like .git/config, ProjectSettings.asset, or other configuration files. This could be used to modify project settings, inject malicious code, or corrupt the project.

IMPACTAn attacker could overwrite project configuration files, inject malicious scripts, or corrupt the Unity project, potentially leading to arbitrary code execution when the project is opened in Unity.

FIXRestrict write operations to specific directories (e.g., Assets/Scripts) or file types (e.g., .cs, .json). Consider implementing a whitelist of allowed file extensions or paths.

MEDIUM1 finding

tools/filesystem.py:505

505@mcp.tool()
506def grep_in_project(
507    query: str,
508    project_name: str = "",
509    pattern: str = "*.cs",
510    case_sensitive: bool = False,
511    use_regex: bool = False,
512    max_matches: int = 200,
513) -> str:
514    """Search file contents within a Unity project for a string or regex pattern.
515    ...
516    Leave project_name empty to search across all projects."""
517    base = _safe_resolve(str(projects_dir / project_name)) if project_name else projects_dir

server.py:38→tools/filesystem.py:505

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

EXPLAINThe grep_in_project tool allows searching file contents across all projects when project_name is empty. This could be used to search for sensitive information like passwords, API keys, or other secrets across all projects in the directory.

IMPACTAn attacker could search for sensitive patterns across all projects, potentially discovering credentials or other confidential information.

FIXRequire a project_name parameter and do not allow searching across all projects by default. Alternatively, implement a rate limit or require explicit user consent for cross-project searches.

MEDIUM1 finding

server.py:39→tools/git_tools.py:1

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

EXPLAINThe git tools (git_status, git_log, git_diff, git_branch_list) allow executing git commands on any detected git repository within the projects directory. While these are read-only operations, they could expose sensitive information from git history, such as credentials or secrets that were committed and later removed.

IMPACTAn attacker could read git history to extract sensitive information like API keys, passwords, or other secrets that were accidentally committed.

FIXConsider restricting git tools to only show recent history or implement a filter to exclude sensitive patterns. Alternatively, require explicit user consent before exposing git history.

LOW1 finding

tools/filesystem.py:366

366@mcp.tool()
367def list_unity_projects() -> str:
368    """List all Unity projects in the configured Unity Projects folder.
369    Identifies projects by the presence of an Assets directory."""

server.py:38→tools/filesystem.py:366

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

EXPLAINAll tool descriptions and parameter names are exposed to the LLM and could be manipulated via prompt injection. An attacker could craft a prompt that causes the LLM to call tools with malicious arguments, bypassing the intended use.

IMPACTAn attacker could potentially trick the LLM into executing unintended tool calls, such as reading sensitive files or writing malicious content.

FIXImplement input validation and sanitization on all tool parameters. Consider using a separate validation layer that is not influenced by the LLM.

◷ 5/22/2026

Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.