BACK TO SEARCH
Yocoolab/mcp-servercritical
MCP server for Claude Code — exposes Yocoolab feedback threads and design selections as tools
This MCP server integrates Yocoolab's design feedback platform with AI coding assistants like Claude Code. It exposes tools to list, triage, and respo...
purpose: This MCP server integrates Yocoolab's design feedbthreat: network exposed
RISK SCORE
0/ 100 risk
low findings+5
high findings+50
medium findings+45
capped at100
VULNERABILITY ANALYSIS · 6 findings in 6 blocks2 HIGH · 3 MEDIUM
HIGH1 finding
src/index.ts:352
352files: z.array(z.object({
353 path: z.string().describe('File path relative to repo root'),
354 content: z.string().describe('Full file content (replaces entire file)'),
355})).describe('Array of file changes to include in the commit'),src/index.ts:18→src/index.ts:352
// Network-exposed MCP; exploitable by any LLM prompt that calls create_pr_for_thread with malicious file paths.
EXPLAINThe create_pr_for_thread tool accepts an array of file changes with arbitrary file paths. While the description says 'relative to repo root', there is no validation to prevent path traversal (e.g., '../etc/passwd') or writing to sensitive locations outside the intended repository scope. The GitHub API will reject such paths, but the tool itself does not enforce any restrictions.
IMPACTAn attacker could attempt to write files to arbitrary paths within the repository, potentially overwriting critical files like CI/CD configurations, secrets, or other sensitive content. However, the actual impact is limited by GitHub's own validation.
FIXAdd validation to ensure file paths are within the repository root and do not contain path traversal sequences (e.g., '..'). Use a library like 'upath' or simple string checks.
HIGH1 finding
src/index.ts:323
323repo: z.string().describe('Repository identifier (e.g., "org/repo-name")'),
324branch: z.string().optional().describe('Optional branch filter (e.g., "main", "feature/xyz")'),
325claude_code_pending: z.boolean().optional().describe('Filter for threads pending Claude Code review (true = only pending threads)'),src/index.ts:16→src/index.ts:323
// Network-exposed MCP; exploitable by any LLM prompt that calls list_open_threads or get_deployment_preview with arbitrary repo names.
EXPLAINMultiple tools (list_open_threads, get_deployment_preview) accept a 'repo' parameter that is passed directly to the Yocoolab API without validation. While the API may validate the format, the MCP server does not restrict which repositories can be queried. An attacker could enumerate repositories or attempt to access unauthorized data.
IMPACTAn attacker could query information about any repository known to the Yocoolab platform, potentially leaking metadata about private repositories or projects.
FIXAdd validation to ensure the repo parameter matches expected patterns (e.g., 'owner/repo' format) and consider restricting to a whitelist of allowed repositories.
MEDIUM1 finding
src/index.ts:574
574server.tool(
575 'get_activity_summary',
576 'Get a high-level summary of Claude Code activity: total events, active sessions, tool usage breakdown, files touched, and error count.',
577 {},
578 withCompanion(async () => {
579 return handleGetActivitySummary(activityEventStore, sessionManager);
580 })
581);
582
583server.tool(
584 'get_recent_events',
585 'Get the most recent Claude Code activity events (tool calls, prompts, errors). Shows timestamps, tool names, and key details.',
586 {
587 limit: z.number().optional().describe('Number of recent events to return (default: 10, max: 50)'),
588 },
589 withCompanion(async (args) => {
590 return handleGetRecentEvents(activityEventStore, args.limit);
591 })
592);
593
594server.tool(
595 'get_files_touched',
596 'List all files that have been read, written, or edited across Claude Code sessions. Shows file paths with session counts.',
597 {},
598 withCompanion(async () => {
599 return handleGetFilesTouched(sessionManager);
600 })
601);src/index.ts:39→src/index.ts:40→src/index.ts:41→src/index.ts:574
// Network-exposed MCP; exploitable by any LLM prompt that calls activity monitor tools to exfiltrate session data.
EXPLAINThe activity monitor tools (get_activity_summary, get_recent_events, get_files_touched) expose detailed information about Claude Code sessions, including file paths, tool inputs (which may contain commands, prompts, and code), and error messages. This could leak sensitive information such as API keys, passwords, or proprietary code that was part of tool inputs or outputs.
IMPACTAn attacker could retrieve sensitive data from past Claude Code sessions, including file contents, commands executed, and prompts that may contain secrets or confidential information.
FIXImplement sanitization of tool inputs and outputs before exposing them via these tools. Redact sensitive patterns (e.g., tokens, passwords) and limit the amount of data returned. Consider requiring additional authentication for these tools.
MEDIUM1 finding
src/index.ts:550
550server.tool(
551 'pendo_track_event',
552 'Send a custom track event to Pendo. Use this to track actions like feedback resolved, PR created from feedback, or guide suggestions.',
553 {
554 event_name: z.string().describe('Name of the event (e.g., "feedback_resolved", "pr_created_from_feedback")'),
555 visitor_id: z.string().optional().describe('Pendo visitor ID'),
556 account_id: z.string().optional().describe('Pendo account ID'),
557 properties: z.string().optional().describe('JSON string of additional properties'),
558 },src/index.ts:31→src/index.ts:550
// Network-exposed MCP; exploitable by any LLM prompt that calls pendo_track_event with arbitrary parameters.
EXPLAINThe pendo_track_event tool allows sending arbitrary custom events to Pendo with user-controlled event names, visitor IDs, account IDs, and properties. This could be used to inject misleading analytics data, pollute Pendo data, or potentially exploit Pendo's backend if it processes these fields unsafely.
IMPACTAn attacker could inject fake analytics events, potentially corrupting analytics dashboards or triggering automated actions based on event data. The severity is medium because Pendo likely has its own validation, but the tool provides no restrictions.
FIXRestrict event names to a predefined list of allowed values, or validate that event names match expected patterns. Consider removing the ability to set arbitrary visitor/account IDs.
MEDIUM1 finding
src/index.ts:502
502url: z.string().describe('URL of the page being analyzed'),
503question: z.string().describe('What to analyze or ask about the page'),
504page_title: z.string().optional().describe('Page title'),
505headings: z.array(z.string()).optional().describe('Page headings (h1-h3)'),
506body_text: z.string().optional().describe('Page body text snippet (first ~1000 chars)'),src/index.ts:26→src/index.ts:502
// Network-exposed MCP; exploitable by any LLM prompt that calls ai_analyze_page with a malicious URL.
EXPLAINThe ai_analyze_page tool accepts a 'url' parameter that is sent to the Yocoolab AI assistant. While the URL is not fetched by the MCP server itself, it is passed to the backend API which may use it to fetch page content. An attacker could provide malicious URLs (e.g., internal network addresses, file:// URLs) to potentially trigger SSRF on the backend.
IMPACTIf the Yocoolab backend fetches the provided URL, an attacker could use this tool to probe internal networks, access local files, or perform SSRF attacks against internal services.
FIXValidate the URL to ensure it uses allowed schemes (https:// only) and does not point to private IP ranges. Consider adding a blocklist for internal addresses.
LOW1 finding
src/index.ts:388
388repo: z.string().describe('Repository identifier (e.g., "org/repo-name")'),
389branch: z.string().describe('Branch name to check for deployments'),
390},src/index.ts:20→src/index.ts:388
// Network-exposed MCP; exploitable by any LLM prompt that calls get_deployment_preview with crafted branch names.
EXPLAINThe get_deployment_preview tool accepts a 'branch' parameter that is passed to the Yocoolab API without validation. While the API may validate, the MCP server does not restrict branch names, potentially allowing injection of special characters or path traversal in the API request.
IMPACTLimited impact as the API likely validates branch names. However, an attacker could attempt to query deployment information for arbitrary branches, potentially leaking deployment URLs.
FIXValidate branch names against a pattern (e.g., alphanumeric, hyphens, underscores, slashes) to prevent injection.
◷ 5/31/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.