MCP-INDEX

Oseni03/admin-support-assistant-mcpcritical

This is an AI-powered Virtual Assistant that manages your administrative tasks through a Model Context Protocol (MCP) server deployed on Cloudflare Workers. It integrates with Gmail, Google Calendar, Google Drive, Notion, and Slack to handle routine admin work, keeping you focused on building and selling.

This MCP server acts as an AI-powered virtual assistant that manages administrative tasks by integrating with Gmail, Google Calendar, Google Drive, No...

purpose: This MCP server acts as an AI-powered virtual assithreat: network exposed

TypeScript · ★ 0 · May 21, 2026 · ⚙ May 22, 2026 · GITHUB ↗

heuristic signalsgithub.access slack.integration postgres.access shell.exec filesystem.write env.exposure filesystem.read network.http

RISK SCORE

0/ 100 risk

high findings+125

medium findings+30

capped at100

VULNERABILITY ANALYSIS · 7 findings in 7 blocks5 HIGH · 2 MEDIUM

HIGH1 finding

src/tools/google-drive/index.ts:14

14export const driveTools = {
15  list_drive_files: { ... },
16  create_drive_text_file: { ... },
17  get_drive_file_metadata: { ... },
18  get_drive_file_content: { ... },
19  delete_drive_file: { ... },
20};

src/index.ts:257→src/tools/google-drive/index.ts:14

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised. The Drive integration token provides broad access to the user's Google Drive.

EXPLAINThe Google Drive tools allow creating, reading, and deleting files without any restrictions on file names, content, or locations. An attacker can create files with arbitrary content, read any file the user has access to, and permanently delete files. This goes beyond the intended purpose of managing administrative tasks and could lead to data exfiltration or destruction.

IMPACTAn attacker can read sensitive files from Google Drive, create malicious files, or delete important data. This could result in data loss, data exfiltration, or planting of malicious content.

FIXRestrict file operations to a specific folder or set of allowed file types. Implement size limits and content validation. For deletion, consider soft-delete or require confirmation. Limit the scope of file access based on the user's needs.

HIGH1 finding

src/tools/gmail/index.ts:30

30export const gmailTools = {
31  send_email: {
32    schema: SendEmailSchema,
33    handler: sendEmail,
34    description: "Send a new email via Gmail",
35  },
36  delete_email: {
37    schema: DeleteEmailSchema,
38    handler: deleteEmail,
39    description: "Permanently delete an email",
40  },
41  batch_delete_emails: {
42    schema: BatchDeleteEmailsSchema,
43    handler: batchDeleteEmails,
44    description: "Batch permanently delete multiple emails",
45  },
46  // ...
47};

src/index.ts:255→src/tools/gmail/index.ts:30

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised. The Gmail integration token provides full access to the user's Gmail account.

EXPLAINThe Gmail tools include send_email, delete_email, and batch_delete_emails, which allow sending arbitrary emails and permanently deleting emails without any restrictions on recipients, content, or which emails can be deleted. There is no validation to prevent sending phishing emails, spam, or deleting important emails. The intended purpose is to manage administrative tasks, but these tools can be abused to send malicious emails or destroy data.

IMPACTAn attacker can send arbitrary emails from the user's Gmail account, potentially for phishing, spam, or social engineering attacks. They can also permanently delete emails, causing data loss or disrupting operations.

FIXRestrict the ability to send emails to a whitelist of recipients or require approval for external recipients. Implement rate limiting. For deletion, consider soft-delete or require confirmation. Limit batch operations to prevent mass deletion.

HIGH1 finding

src/index.ts:724

724private async executeNotionOperation(notionClient: Client, operation: any, args: any): Promise<any> {
725    const { method, path } = operation;
726    let url = path;
727    const requestOptions: any = { method: method.toUpperCase() };
728    if (operation.parameters) {
729      for (const param of operation.parameters) {
730        if (param.in === "path" && args[param.name]) {
731          url = url.replace(`{${param.name}}`, args[param.name]);
732        }
733      }
734    }
735    if (method.toLowerCase() === "get") {
736      const queryParams = new URLSearchParams();
737      if (operation.parameters) {
738        for (const param of operation.parameters) {
739          if (param.in === "query" && args[param.name] !== undefined) {
740            queryParams.append(param.name, args[param.name]);
741          }
742        }
743      }
744      for (const [key, value] of Object.entries(args)) {
745        if (value !== undefined && !operation.parameters?.some((p: any) => p.name === key && p.in === "path")) {
746          queryParams.append(key, String(value));
747        }
748      }
749      if (queryParams.toString()) {
750        url += "?" + queryParams.toString();
751      }
752    } else {
753      requestOptions.body = args;
754    }
755    const operationId = operation.operationId || operation.methodName;
756    switch (operationId) {
757      case "get-user":
758        return await notionClient.users.retrieve({ user_id: args.user_id });
759      // ... many cases
760      default:
761        throw new Error(`Unsupported operation: ${operationId}`);
762    }
763  }

src/index.ts:258→src/tools/notion/index.ts:32

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised. The Notion integration token provides broad access to the user's Notion workspace.

EXPLAINThe executeNotionOperation method dynamically constructs Notion API calls based on operation definitions loaded from a generated JSON file. The operation definitions include arbitrary paths and methods, and the code passes all user-supplied arguments directly to the Notion SDK methods without validation. This allows an attacker to invoke any Notion API endpoint that the integration token has access to, including reading, creating, updating, and deleting pages, databases, and blocks. The tool registration in registerNotionTools uses these operation definitions as input schemas, meaning the LLM can call any of these operations with arbitrary parameters.

IMPACTAn attacker with access to the MCP server (or a compromised LLM) can perform arbitrary Notion operations, including reading all pages and databases, creating new pages, deleting content, and modifying data. This goes beyond the intended purpose of managing administrative tasks and could lead to data exfiltration, data loss, or unauthorized modifications.

FIXRestrict the Notion tools to a predefined set of safe operations (e.g., only search, read page, create page with limited fields). Validate all inputs against a whitelist of allowed operations and parameters. Avoid dynamically constructing API calls from generated definitions.

HIGH1 finding

src/tools/google-calendar/index.ts:24

24export const calendarTools = {
25  create_event: { ... },
26  update_event: { ... },
27  delete_event: { ... },
28  quick_add_event: { ... },
29  freebusy_query: { ... },
30  // ...
31};

src/index.ts:256→src/tools/google-calendar/index.ts:24

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised. The Calendar integration token provides full access to the user's calendars.

EXPLAINThe Calendar tools allow creating, updating, and deleting events without restrictions. An attacker can create events with arbitrary details, modify existing events, or delete events. This could be used to disrupt schedules, create phishing events, or delete important appointments.

IMPACTAn attacker can create, modify, or delete calendar events, potentially causing confusion, scheduling conflicts, or data loss. They could also create events with malicious links or descriptions to phish other users.

FIXRestrict event creation to specific calendars or require approval for events with external attendees. Implement rate limiting. For deletion, consider soft-delete or require confirmation.

HIGH1 finding

src/tools/slack/tools-implementation.ts:222

222export const uploadFile: SlackTool<z.infer<typeof UploadFileSchema>> = async ({ slack }, args) => {
223  const options: any = {
224    channels: args.channels.join(","),
225    content: args.content,
226    filename: args.filename,
227  };
228  if (args.title) options.title = args.title;
229  if (args.initialComment) options.initial_comment = args.initialComment;
230  const response = await slack.files.uploadV2(options);
231  return {
232    content: [{ type: "text", text: JSON.stringify(response, null, 2) }],
233  };
234};

src/index.ts:259→src/tools/slack/index.ts:40

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised. The Slack integration token may have broad permissions to post and upload files.

EXPLAINThe upload_file tool accepts arbitrary content and filename from the user and uploads it to Slack channels. There is no validation on the content type, size, or whether the file contains malicious data. Similarly, post_message and other tools accept arbitrary text and blocks. This allows an attacker to upload malicious files (e.g., malware, phishing content) or post harmful messages to Slack channels, which could be used to attack other users or exfiltrate data.

IMPACTAn attacker can upload arbitrary files to Slack channels, potentially distributing malware or phishing links. They can also post messages with malicious content, impersonate users, or exfiltrate sensitive data by posting it to a channel they control.

FIXImplement content validation and size limits for file uploads. Restrict the types of files that can be uploaded. For messages, consider sanitizing text and blocks to prevent injection of malicious content. Limit the channels to which messages can be posted based on the user's permissions.

MEDIUM1 finding

src/tools/notion/tools-implementation.ts:91

91export const queryDatabase: NotionTool<z.infer<typeof QueryDatabaseSchema>> = async ({ notion }, args) => {
92  const queryParams: any = { database_id: args.databaseId, page_size: args.pageSize };
93  if (args.filterBy) {
94    try {
95      queryParams.filter = JSON.parse(args.filterBy);
96    } catch (e) {
97      return { content: [{ type: "text", text: `Error parsing filter: ${e}` }] };
98    }
99  }
100  if (args.sortBy) {
101    try {
102      queryParams.sorts = JSON.parse(args.sortBy);
103    } catch (e) {
104      return { content: [{ type: "text", text: `Error parsing sorts: ${e}` }] };
105    }
106  }
107  const response = await notion.databases.retrieve(queryParams);
108  return { content: [{ type: "text", text: JSON.stringify(response, null, 2) }] };
109};

src/index.ts:258→src/tools/notion/index.ts:32→src/tools/notion/tools-implementation.ts:91

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised. The Notion integration token may have broad access.

EXPLAINThe queryDatabase and createPage tools accept JSON strings for filterBy, sortBy, and properties parameters. These are parsed and passed directly to the Notion SDK without validation. An attacker can craft arbitrary JSON objects to manipulate the query or page creation, potentially accessing data they shouldn't or creating pages with unexpected properties. This could lead to information disclosure or unauthorized data manipulation.

IMPACTAn attacker can craft malicious JSON to query databases with arbitrary filters, potentially extracting more data than intended, or create pages with arbitrary properties, bypassing intended restrictions.

FIXValidate the JSON structure against a strict schema before passing it to the Notion SDK. Use Zod schemas to define allowed filter and property structures. Avoid passing raw user input to API calls.

MEDIUM1 finding

src/tools/slack/tools-implementation.ts:23

23export const postMessage: SlackTool<z.infer<typeof PostMessageSchema>> = async ({ slack }, args) => {
24  const options: any = { channel: args.channel, text: args.text };
25  if (args.threadTs) { options.thread_ts = args.threadTs; }
26  if (args.blocks) {
27    try {
28      options.blocks = JSON.parse(args.blocks);
29    } catch (e) {
30      return { content: [{ type: "text", text: `Error parsing blocks: ${e}` }] };
31    }
32  }
33  const response = await slack.chat.postMessage(options);
34  return { content: [{ type: "text", text: JSON.stringify(response, null, 2) }] };
35};

src/index.ts:259→src/tools/slack/index.ts:40→src/tools/slack/tools-implementation.ts:23

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised. The Slack integration token may have broad permissions.

EXPLAINThe post_message and update_message tools accept a blocks parameter as a JSON string, which is parsed and passed directly to the Slack API. An attacker can craft arbitrary block kit JSON to create messages with malicious content, such as fake buttons, links, or interactive components that could be used for phishing or social engineering.

IMPACTAn attacker can create Slack messages with arbitrary block kit elements, potentially tricking users into clicking malicious links or providing sensitive information.

FIXValidate the blocks JSON against a strict schema that limits allowed block types and properties. Consider using a whitelist of allowed block types. Avoid passing raw user input to the Slack API.

◷ 5/22/2026

Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.