react-doctor/mcp-tool-capability-risk

An MCP tool runs with the connecting client's authority, so reaching shell, filesystem, or network primitives without validation lets injected input abuse them.

• Category: Security
• Severity: warn
• Source: oxlint-plugin-react-doctor
• Framework: global
• Enabled when: production source files (.js/.ts/.jsx/.tsx, etc.); test/build/doc/generated paths skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires only when all three co-occur in one production file: an MCP SDK import or symbol (from '@modelcontextprotocol/sdk…', McpServer, McpAgent), a tool-surface registration (server.tool/resource/prompt(, registerTool/Resource/Prompt(, setRequestHandler(CallToolRequestSchema|ListToolsRequestSchema, or new McpServer/McpAgent(), and a dangerous-capability token (exec/spawn/child_process/eval/new Function/vm.run/readFile/writeFile/fs.read|write/fetch/axios/http.request/sandbox/runCode/executeCode). Comments are stripped first. FALSE POSITIVE: the dangerous capability lives elsewhere in the file and is not actually reachable from the tool handler (the gate is file-level co-occurrence, not data flow), or the call already validates/authorizes its input — the tool may be safe even though all three tokens appear.

Fix prompt

Use this once validation confirms the diagnostic is real.

Validate and constrain every tool input with a strict schema and enforce per-tool authorization, since MCP handlers run with the client's authority. Avoid raw shell, filesystem, and network access in tool bodies; when unavoidable, run fixed binaries with a validated argument array (no shell strings), confine filesystem access to an allowlisted base directory with traversal checks, and restrict outbound fetch/axios to an allowlist to prevent server-side request forgery (SSRF).