Follow-up from @rng1995's review on #36:
#36 (review)
"the streamable-HTTP transport is unauthenticated … If an operator binds it to a routable interface, an unauthenticated caller could request file:///… or a local path and get file contents reflected back in findings/report (local file disclosure), or use it to drive outbound fetches (SSRF)."
The skillspector mcp --transport http command ships without authentication. The README advertises it for "remote / A2A callers" via --host, but any unauthenticated caller that reaches the endpoint can:
- Pass
file:///etc/passwd or an arbitrary local path as target and get file contents reflected back in findings / report (local file disclosure)
- Pass an internal URL as
target to drive outbound fetches from the host (SSRF)
Over stdio or 127.0.0.1 this is the same trust boundary as the CLI and is safe. Binding to a routable interface without an authenticating proxy in front is where the risk materializes.
Proposed Fix
- Add a trust-model warning to the docs: HTTP transport ships without auth; sit it behind an authenticating proxy before any public exposure.
- When running over HTTP, reject
file:// and bare local paths in target, or gate them behind an explicit --allow-local-paths flag.
Follow-up from @rng1995's review on #36:
#36 (review)
The
skillspector mcp --transport httpcommand ships without authentication. The README advertises it for "remote / A2A callers" via--host, but any unauthenticated caller that reaches the endpoint can:file:///etc/passwdor an arbitrary local path astargetand get file contents reflected back infindings/report(local file disclosure)targetto drive outbound fetches from the host (SSRF)Over stdio or
127.0.0.1this is the same trust boundary as the CLI and is safe. Binding to a routable interface without an authenticating proxy in front is where the risk materializes.Proposed Fix
file://and bare local paths intarget, or gate them behind an explicit--allow-local-pathsflag.