admin-mcp

This is documentation for managing MCP servers in Claude Desktop and is not itself malicious code. However, it endorses execution of unpinned npm packages via npx (including 'npx -y'), and examples persist environment variables (including API_KEY) to disk. Those patterns are legitimate for installing third-party server packages but create moderate supply-chain and credential exposure risks: an attacker who publishes or compromises an MCP package or gains access to the profile files could execute arbitrary code or harvest credentials. The content should be treated as functional but risky: use pinned package versions, avoid embedding secrets in config files, and verify package provenance before adding to the profile.