claude-cli

This document describes a powerful, extensible CLI with multiple high-risk capabilities: executing arbitrary local commands from project configs, forwarding env vars (potentially secrets) into spawned processes, communicating with external MCP endpoints, and installing/executing plugins from marketplaces. These features create clear supply-chain and local-host risks (credential leakage, data exfiltration, arbitrary code execution) if project configurations or plugins are untrusted or if users bypass permission prompts. The documentation acknowledges some best practices (do not commit secrets, approve project servers) but lacks details about enforcement and integrity checks. Recommend treating .mcp.json and plugin sources as untrusted by default, refusing to auto-load or auto-execute unapproved project servers, avoiding storing secrets in committed configs, enabling interactive permission checks, and requiring signed/verified plugins or sandboxing MCP processes.