codebolt-mcp-access

This documentation describes powerful filesystem primitives that, if implemented without sandboxing, path sanitization, and strict access control, present meaningful supply-chain and operational risks: arbitrary file read (including secrets), bulk exfiltration, arbitrary file overwrite/modification, and directory enumeration. I did not find explicit malicious code or obfuscation in the fragment, but the API's capabilities require careful implementation and operational controls. Immediate recommendations: verify the implementation enforces an explicit allowed root, validates/sanitizes paths (including symlink resolution), runs with least privilege, requires caller authentication/authorization, logs/audits all operations, and rate-limits or restricts batch reads. Do not expose this API to untrusted callers or CI agents with elevated host privileges without these safeguards.

[Skill Scanner] Credential file access detected All findings: [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] BENIGN: The fragment is a coherent high-level capability description for Codebolt MCP access, outlining legitimate tool namespaces and usage patterns. There are no actionable payloads, credential requests, or external data flows evident in the fragment. The scope is broad but aligned with the stated purpose of enabling tool execution and orchestration within Codebolt MCP. Still, due to the breadth of capabilities, ensure proper authorization checks and least-privilege enforcement in the actual implementation. LLM verification: This SKILL.md is a high-privilege instruction document that legitimately describes broad platform capabilities. It does not itself contain executable malware, obfuscated payloads, or direct download-execute commands. However, its scope is large and insufficiently constrained: it documents tools that can read arbitrary files, execute shell commands, modify git repos, and send data externally. Without additional runtime safeguards (least-privilege enforcement, explicit disallow of reading secrets,

This code snippet itself is not explicit malware, but it demonstrates a high-risk supply-chain and command-execution pattern: using npx at runtime to fetch and execute a package with caller-provided CLI arguments and no shown validation or isolation. That pattern yields moderate-to-high security risk in production contexts. Mitigations: avoid runtime fetching, pin versions and checksums, restrict allowable commands/args via whitelisting, run external packages in isolated, minimal-privilege sandboxes, and perform code audits of any package fetched and run.