Cherry Mcp
Security checks across malware telemetry and agentic risk
Overview
Cherry MCP appears to be a real MCP-to-HTTP bridge, but its persistent local server exposes MCP tool calls through an unauthenticated REST API with wildcard CORS.
Install only if you intentionally want a long-running local MCP-to-HTTP gateway. Keep it bound to 127.0.0.1, add authentication before using sensitive or mutating MCP tools, remove wildcard CORS if not required, configure only trusted MCP server commands, avoid plaintext secrets where possible, and do not enable PM2 startup unless you want the service to persist across reboots.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any local process, and potentially a web page running in the user's browser, could enumerate and invoke configured MCP tools if the service is running.
The HTTP endpoint accepts a tool name and arguments and invokes the configured MCP tool, while allowing all browser origins and showing no authentication, CSRF protection, or per-tool approval around the call.
res.setHeader('Access-Control-Allow-Origin', '*'); ... const { tool, arguments: args } = JSON.parse(body); ... const result = await srv.callTool(tool, args || {});Add a required bearer token or other local authentication, restrict CORS to trusted origins or disable it by default, and consider per-tool allowlists or confirmation for mutating tools.
Sensitive tool results from configured MCP servers could be exposed to unintended local callers or browser-origin requests.
This MCP-to-HTTP gateway returns tool results over a local REST interface, but the code does not define caller identity, origin trust, or data-boundary controls beyond the default loopback bind.
http.createServer(handler).listen(PORT, HOST, ...); ... res.setHeader('Access-Control-Allow-Origin', '*'); ... res.end(JSON.stringify({ result }));Keep the host bound to 127.0.0.1, add explicit client authentication, remove wildcard CORS unless needed, and avoid returning sensitive tool outputs to unauthenticated clients.
Configured MCP servers may receive tokens or other environment secrets and use them with the user's account permissions.
The skill clearly discloses that API keys may be stored in plaintext and that spawned MCP servers inherit environment variables. This is expected for MCP integrations, but it grants delegated account authority to configured servers.
node cli.js set-env github GITHUB_TOKEN ghp_xxx ... they're saved in plain text in `config.json` ... The server inherits your shell environment.
Use trusted MCP servers only, prefer environment variables or a secrets manager over plaintext config, restrict file permissions on config.json, and use least-privilege tokens.
A malicious or mistaken MCP server command in config.json would run locally with the user's privileges and environment.
The bridge executes configured child processes. This is expected for an MCP stdio bridge, but it means the configuration controls what local programs run.
this.process = spawn(command, args, { env: { ...process.env, ...env }, stdio: ['pipe', 'pipe', 'pipe'] });Only add MCP server commands from trusted sources, review config.json before starting the bridge, and avoid running it with elevated privileges.
Users may rely on a payload-size protection that is not actually enforced, increasing denial-of-service risk against the local service.
SKILL.md claims a 1MB max payload, but the request handler shown here accumulates the body without an evident size check before parsing.
let body = ''; for await (const chunk of req) body += chunk; const { tool, arguments: args } = JSON.parse(body);Implement and test an explicit request-size limit, or remove the 1MB max-payload claim from the documentation.
The bridge and configured MCP servers may keep running after the immediate task is finished, including after reboot if startup is enabled.
The documentation recommends running the bridge as a PM2-managed service and optionally enabling boot startup. This is disclosed and purpose-aligned, but it creates a persistent local agent/tool gateway.
pm2 start bridge.js --name cherry-mcp pm2 save # Auto-start on boot pm2 startup
Enable PM2 startup only if you need a persistent bridge, and know how to stop or remove the service when it is no longer needed.