critical
suspicious.dangerous_exec
- Location
- bridge.js:56
- Finding
- Shell command execution detected (child_process).
Cherry Mcp
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A local process, or a web page able to reach localhost through the browser, could invoke configured MCP tools that may use the user's tokens or accounts.
Why it was flagged
The bridge exposes MCP tool calls over HTTP with wildcard CORS and no authentication layer; checkSecurity only handles optional IP/rate-limit checks.
Skill content
res.setHeader('Access-Control-Allow-Origin', '*'); ... const { tool, arguments: args } = JSON.parse(body); ... const result = await srv.callTool(tool, args || {});Recommendation
Add an authentication token or origin restriction before enabling tools with sensitive credentials, and avoid running this bridge while browsing untrusted sites unless access is otherwise constrained.
What this means
Users may rely on a safety limit that is not actually implemented, leaving the local service more exposed to large-request denial-of-service behavior.
Why it was flagged
The documentation claims a 1MB payload limit, but the request handler accumulates the body without enforcing a size cap.
Skill content
SKILL.md: "1MB max payload"; bridge.js: "for await (const chunk of req) body += chunk;"
Recommendation
Implement and test a real request-size limit, or remove the security claim until it is enforced.
What this means
Any MCP server command added to the config runs with the user's local privileges and inherited environment.
Why it was flagged
The bridge executes configured MCP server commands as child processes, which is expected for this MCP-to-REST bridge but still powerful.
Skill content
this.process = spawn(command, args, { env: { ...process.env, ...env }, stdio: ['pipe', 'pipe', 'pipe'] });Recommendation
Only add MCP servers from trusted sources, prefer pinned package versions, and review each command before starting the bridge.
What this means
Tokens placed in config.json may be readable by local users, backups, sync tools, or accidental commits.
Why it was flagged
The skill explicitly supports storing API keys for MCP servers in a local plain-text config file.
Skill content
"If you store API keys via `set-env`, they're saved in plain text in `config.json`."
Recommendation
Prefer environment variables or a secrets manager, restrict file permissions, and never commit config.json when it contains secrets.
What this means
The bridge and its MCP child processes can keep running beyond a single task or terminal session.
Why it was flagged
The documentation recommends running the bridge as a persistent pm2 service and optionally configuring boot-time startup.
Skill content
pm2 start bridge.js --name cherry-mcp ... pm2 save ... pm2 startup
Recommendation
Use pm2 startup only if you want this service to persist, and stop/remove the pm2 service when it is no longer needed.
Findings (2)
critical
suspicious.dangerous_exec
- Location
- cli.js:119
- Finding
- Shell command execution detected (child_process).