jetbrains-skill

The provided file is documentation/specification for an IDE feature (MCP Server) that exposes potent file-read, file-write, and execution APIs to external clients. The text itself is not malicious, but the described capabilities — especially when combined with Brave Mode and automatic client configuration — present a moderate-to-high security risk: potential data exfiltration (files, env vars, run configs), unauthorized command execution, and persistent tampering of project sources. Recommended mitigations (not exhaustive): enforce strong client authentication and allowlisting, require explicit interactive confirmation for dangerous actions (avoid Brave Mode for untrusted clients), redact sensitive fields from returned run configurations, enable thorough audit logging, and limit MCP server access to projects that contain no secrets or use secret-masking policies.