Cherry Mcp

The skill allows the user to configure and execute arbitrary commands as child processes via `cli.js` and `bridge.js`, which is a high-risk capability, even though it's central to its stated purpose of running MCP servers. Additionally, the `cli.js` command `set-env` stores environment variables, potentially containing secrets, in plaintext within `config.json`. While the `SKILL.md` explicitly warns about these risks and the `bridge.js` defaults to binding on localhost, these capabilities introduce significant security concerns if the configuration is compromised or misused.