This is a coordinated, exploit-free disclosure for the public MCP server surface documented in this repository and its adjacent server-facing guidance.
Targets covered in this note
mcp-server-git follow-on trust-boundary and deployment guidance- filesystem server docs
- fetch server docs
Related public MCP surfaces reviewed in the same study
- GitHub MCP server docs
- Playwright MCP server docs
Summary
We reviewed public schema metadata together with documented host-permission / deployment guidance and then used a local-only harness to validate sink shape without contacting external services or using real secrets. In the current public docs, several tool surfaces can still be read as reaching path-write, network-request, or secret-handling sinks unless the deployment boundary is interpreted very carefully.
This report does not include a live exploit, third-party accounts, or real secrets. The goal is documentation and trust-boundary clarification.
Suggested follow-up
- confirm whether the current permission and tool-routing behavior is intended,
- tighten schema or documentation where the intended boundary is narrower than the public description,
- make deployment / sandbox guidance more explicit for filesystem-, git-, and fetch-like servers,
- point reporters to a preferred security channel if a private follow-up would be more appropriate.
If useful, I can follow up with the exact exploit-free reproduction shape privately.
This is a coordinated, exploit-free disclosure for the public MCP server surface documented in this repository and its adjacent server-facing guidance.
Targets covered in this note
mcp-server-gitfollow-on trust-boundary and deployment guidanceRelated public MCP surfaces reviewed in the same study
Summary
We reviewed public schema metadata together with documented host-permission / deployment guidance and then used a local-only harness to validate sink shape without contacting external services or using real secrets. In the current public docs, several tool surfaces can still be read as reaching path-write, network-request, or secret-handling sinks unless the deployment boundary is interpreted very carefully.
This report does not include a live exploit, third-party accounts, or real secrets. The goal is documentation and trust-boundary clarification.
Suggested follow-up
If useful, I can follow up with the exact exploit-free reproduction shape privately.