BACK TO SEARCH
Wajkie/github-workflow-mcpcritical
MCP server exposing GitHub engineering workflow to AI agents
This MCP server provides AI agents with structured, scoped access to GitHub engineering workflows, including reading repositories, pull requests, issu...
purpose: This MCP server provides AI agents with structuredthreat: network exposed
RISK SCORE
0/ 100 risk
low findings+15
high findings+100
medium findings+75
capped at100
VULNERABILITY ANALYSIS · 12 findings in 12 blocks4 HIGH · 5 MEDIUM
HIGH1 finding
src/config.ts:16
16allowedRepos: optional("ALLOWED_REPOS", "*"),src/server.ts:42-48
// Network-exposed MCP server; an attacker can send arbitrary tool requests.
EXPLAINThe ALLOWED_REPOS environment variable defaults to '*' (all repos) and is passed directly to tools without validation. Tools like list_repositories, get_repository, get_file, etc. use this value to filter repositories, but if set to '*', all repositories in the organization are accessible. Additionally, there is no validation that repository names provided by the user match the allowed list; the filtering logic is not shown but likely relies on this config value.
IMPACTAn attacker could access any repository in the GitHub organization, including private ones, if ALLOWED_REPOS is set to '*' or if the filtering is bypassed. This could lead to unauthorized data access.
FIXImplement strict validation of repository names against an explicit allowlist. Avoid using '*' in production. Validate that user-provided repo names match the allowed list exactly.
HIGH1 finding
// Source file not analyzed: src/tools/githubWriteTools.ts
// Finding inferred from import chain: src/server.ts:46
src/server.ts:46
// Network-exposed MCP server; requires ALLOW_WRITES=true to exploit.
EXPLAINWrite tools (create_branch, create_or_update_file, create_pull_request, merge_pr) accept user-controlled parameters such as branch names, file paths, commit messages, and PR titles. Without validation, an attacker could create branches with malicious names, overwrite critical files, or create PRs with misleading titles. The allowWrites flag gates access, but once enabled, there is no further validation.
IMPACTAn attacker could perform unauthorized write operations, such as overwriting protected branches, injecting malicious code, or creating deceptive pull requests, potentially compromising the repository integrity.
FIXValidate all user inputs: restrict branch names to a safe pattern, validate file paths against an allowlist, and sanitize commit messages and PR titles to prevent injection.
HIGH1 finding
// Source file not analyzed: src/tools/repositoryTools.ts
// Finding inferred from import chain: src/server.ts:42
src/server.ts:42
// Network-exposed MCP server; an attacker can send arbitrary tool requests.
EXPLAINThe search_code tool accepts a search query from the user. Without validation, an attacker could craft queries to extract sensitive information from code, such as API keys, passwords, or internal documentation. The GitHub code search API may return results from all repositories if not scoped properly.
IMPACTAn attacker could search across repositories for secrets, credentials, or other sensitive data, leading to information disclosure.
FIXScope search to allowed repositories only. Validate and sanitize the query to prevent injection or overly broad searches.
HIGH1 finding
// Source file not analyzed: src/tools/repositoryTools.ts
// Finding inferred from import chain: src/server.ts:42
src/server.ts:42
// Network-exposed MCP server; an attacker can send arbitrary tool requests.
EXPLAINThe get_file tool accepts a file path from the user. Without validation, an attacker could request files outside the intended repository scope, such as .env, config files, or other sensitive files. The tool likely uses the GitHub API to fetch file contents, but the path is user-controlled.
IMPACTAn attacker could read arbitrary files from any repository in the allowed scope, potentially exposing secrets, credentials, or sensitive source code.
FIXValidate that the file path is within the repository and does not contain path traversal sequences (e.g., '../'). Restrict to specific directories if possible.
MEDIUM1 finding
src/config.ts:17
17allowWrites: optional("ALLOW_WRITES", "false") === "true",src/server.ts:46
// Network-exposed MCP server; requires ALLOW_WRITES=true to exploit.
EXPLAINThe ALLOW_WRITES flag is a global toggle that enables all write operations (create_branch, create_or_update_file, create_pull_request, merge_pr, request_review). There is no per-user or per-repository access control. Once enabled, any user of the MCP server can perform destructive actions on any allowed repository.
IMPACTAn attacker could create, modify, or delete files, branches, and pull requests across all allowed repositories, potentially causing data loss or introducing vulnerabilities.
FIXImplement role-based access control (RBAC) or per-repository permissions. Consider requiring additional authentication for write operations.
MEDIUM1 finding
// Source file not analyzed: src/tools/knowledgeTools.ts
// Finding inferred from import chain: src/server.ts:50
src/server.ts:50
// Network-exposed MCP server; an attacker can send arbitrary tool requests.
EXPLAINThe search_knowledge tool accepts a search query from the user. Without validation, an attacker could perform injection attacks against the knowledge base (e.g., SQL injection if backed by a database) or extract sensitive information.
IMPACTAn attacker could extract sensitive data from the knowledge base or perform injection attacks.
FIXValidate and sanitize the search query. Use parameterized queries if the knowledge base is a database.
MEDIUM1 finding
// Source file not analyzed: src/tools/lintingTools.ts
// Finding inferred from import chain: src/server.ts:45
src/server.ts:45
// Network-exposed MCP server; requires ALLOW_WRITES=true for apply_safe_fixes.
EXPLAINThe suggest_fixes and apply_safe_fixes tools accept user input to generate or apply linting fixes. Without validation, an attacker could provide malicious input that leads to arbitrary code execution or file modification if the fix application process is not properly sandboxed.
IMPACTAn attacker could potentially execute arbitrary code on the server or modify files outside the intended scope.
FIXValidate and sanitize all inputs. Ensure that fix application is done in a sandboxed environment with restricted file system access.
MEDIUM1 finding
// Source file not analyzed: src/tools/lintingTools.ts
// Finding inferred from import chain: src/server.ts:45
src/server.ts:45
// Network-exposed MCP server; an attacker can send arbitrary tool requests.
EXPLAINThe lint_code tool accepts inline code from the user and lints it using ESLint/TypeScript config. Without validation, an attacker could provide code that triggers ESLint rules in unexpected ways, potentially causing denial of service or information disclosure through error messages.
IMPACTAn attacker could cause the server to crash or leak internal configuration details via ESLint error messages.
FIXSanitize or limit the size of input code. Ensure ESLint errors are handled gracefully and do not expose sensitive information.
MEDIUM1 finding
// Source file not analyzed: src/tools/lintingTools.ts
// Finding inferred from import chain: src/server.ts:45
src/server.ts:45
// Network-exposed MCP server; an attacker can send arbitrary tool requests.
EXPLAINThe validate_diff and validate_pr tools accept user-controlled diff content or PR identifiers. Without validation, an attacker could provide malicious diffs that cause the linter to behave unexpectedly or leak information.
IMPACTAn attacker could cause denial of service or information disclosure through crafted diff inputs.
FIXValidate and sanitize diff inputs. Limit the size of diffs to prevent resource exhaustion.
LOW1 finding
src/config.ts:20
20databaseUrl: process.env["DATABASE_URL"],
21redisUrl: process.env["REDIS_URL"],src/server.ts:61-63
// Network-exposed MCP server; credential exposure requires server compromise.
EXPLAINDatabase and Redis connection strings may contain credentials (e.g., username, password). These are stored in environment variables and used directly. If the environment is compromised, these credentials could be exposed.
IMPACTAn attacker could gain access to the database or Redis instance, potentially reading or modifying audit logs, cache data, or knowledge base.
FIXUse secure secret management and avoid storing credentials in plaintext environment variables. Consider using IAM roles or service accounts.
LOW1 finding
src/config.ts:14
14githubToken: required("GITHUB_TOKEN"),src/server.ts:23
// Network-exposed MCP server; token exposure requires server compromise.
EXPLAINThe GitHub token is read from an environment variable and used to authenticate API requests. While this is standard practice, if the environment is compromised, the token could be exposed. Additionally, the token is passed to Octokit and used for all API calls, meaning any tool that makes API calls uses this token.
IMPACTAn attacker who gains access to the server's environment could steal the GitHub token and perform actions on behalf of the authenticated user.
FIXUse short-lived tokens or OAuth flows. Consider encrypting the token at rest and using secure secret management.
LOW1 finding
// Source file not analyzed: src/tools/githubWriteTools.ts
// Finding inferred from import chain: src/server.ts:46
src/server.ts:46
// Network-exposed MCP server; requires ALLOW_WRITES=true to exploit.
EXPLAINThe request_review tool accepts a reviewer username from the user. Without validation, an attacker could request reviews from arbitrary users, potentially causing spam or social engineering attacks.
IMPACTAn attacker could spam users with review requests or impersonate others.
FIXValidate that the reviewer is a valid user in the organization and limit the frequency of review requests.
◷ 5/31/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.