Cherry Mcp
WarnAudited by ClawScan on May 10, 2026.
Overview
Cherry MCP is a coherent MCP-to-HTTP bridge, but its local REST server can invoke configured MCP tools without authentication and has some overstated security controls.
Install only if you are comfortable running a persistent local MCP gateway. Use trusted and pinned MCP server commands, avoid storing secrets in config.json, add authentication or stricter local access controls before using sensitive tools, and do not enable pm2 startup unless you want it to keep running after reboots.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local process, or a web page able to reach localhost through the browser, could invoke configured MCP tools that may use the user's tokens or accounts.
The bridge exposes MCP tool calls over HTTP with wildcard CORS and no authentication layer; checkSecurity only handles optional IP/rate-limit checks.
res.setHeader('Access-Control-Allow-Origin', '*'); ... const { tool, arguments: args } = JSON.parse(body); ... const result = await srv.callTool(tool, args || {});Add an authentication token or origin restriction before enabling tools with sensitive credentials, and avoid running this bridge while browsing untrusted sites unless access is otherwise constrained.
Users may rely on a safety limit that is not actually implemented, leaving the local service more exposed to large-request denial-of-service behavior.
The documentation claims a 1MB payload limit, but the request handler accumulates the body without enforcing a size cap.
SKILL.md: "1MB max payload"; bridge.js: "for await (const chunk of req) body += chunk;"
Implement and test a real request-size limit, or remove the security claim until it is enforced.
Any MCP server command added to the config runs with the user's local privileges and inherited environment.
The bridge executes configured MCP server commands as child processes, which is expected for this MCP-to-REST bridge but still powerful.
this.process = spawn(command, args, { env: { ...process.env, ...env }, stdio: ['pipe', 'pipe', 'pipe'] });Only add MCP servers from trusted sources, prefer pinned package versions, and review each command before starting the bridge.
Tokens placed in config.json may be readable by local users, backups, sync tools, or accidental commits.
The skill explicitly supports storing API keys for MCP servers in a local plain-text config file.
"If you store API keys via `set-env`, they're saved in plain text in `config.json`."
Prefer environment variables or a secrets manager, restrict file permissions, and never commit config.json when it contains secrets.
The bridge and its MCP child processes can keep running beyond a single task or terminal session.
The documentation recommends running the bridge as a persistent pm2 service and optionally configuring boot-time startup.
pm2 start bridge.js --name cherry-mcp ... pm2 save ... pm2 startup
Use pm2 startup only if you want this service to persist, and stop/remove the pm2 service when it is no longer needed.