mcporter

The provided README/manifest describes a legitimate CLI tool with powerful capabilities (running user-specified local commands as stdio endpoints, calling arbitrary URLs, and storing credentials locally). I find no explicit indicators of embedded malicious code, hard-coded secrets, or obfuscation in the text. However, the combination of arbitrary command execution, network calls to user-controlled endpoints, and local JSON credential storage constitutes a moderate security risk: it enables credential forwarding and data exfiltration if the tool is misused or if the npm package distribution is compromised. Recommended mitigations before trusting or deploying: verify package provenance/signature, prefer secure credential storage (OS credential store or encrypted files), restrict/whitelist target domains where feasible, add explicit confirmation prompts for sending credentials or executing commands provided from untrusted sources, and audit the installed package code and install scripts.