Hi, I’m reporting a security issue affecting the MCP shell server here since I couldn't find any private disclosure path :)
Summary
The server passes user‑supplied command strings directly to a shell. Shell metacharacters are interpreted, allowing multiple commands to execute in a single request. There is no effective validation or blacklist enforcement in the execution path, despite the README describing “secure command execution.”
A simple PoC would be trying to use the run_command tool with:
{
`command`: `ls ; rmdir TEST_TO_REMOVE`
}
which gets executed even though rmdir is BLACKLISTED
Impact
- Arbitrary command execution in the user context
- Filesystem modification and denial of service
- Security controls can be bypassed trivially
Root cause
- Shell‑backed execution of untrusted input
- No escaping or post‑parse validation
- No effective blacklist enforcement in the execution path
Suggested remediation
- Explicitly reject shell metacharacters
- Implement a capability‑based allowlist
- Or clearly document the tool as unsafe by design
I did not find a SECURITY.md or private disclosure channel, so I’m reporting this here. Happy to continue the discussion privately if preferred.
Hi, I’m reporting a security issue affecting the MCP shell server here since I couldn't find any private disclosure path :)
Summary
The server passes user‑supplied command strings directly to a shell. Shell metacharacters are interpreted, allowing multiple commands to execute in a single request. There is no effective validation or blacklist enforcement in the execution path, despite the README describing “secure command execution.”
A simple PoC would be trying to use the run_command tool with:
which gets executed even though rmdir is BLACKLISTED
Impact
Root cause
Suggested remediation
I did not find a SECURITY.md or private disclosure channel, so I’m reporting this here. Happy to continue the discussion privately if preferred.