Optometry Ai Safety MCP Server

This MCP server implements optometry/medical device compliance tools with reasonable read-only logic, but has multiple security concerns that warrant user awareness. The primary issues are: (1) a hardcoded path traversal dependency on a non-existent shared auth module located at ~/clawd/meok-labs-engine/shared, creating a single point of failure and potential privilege escalation vector; (2) rate limiting and usage tracking implemented in-memory with file-based state stored in ~/.meok without proper locking, creating race conditions and potential bypass; (3) authentication middleware that validates API keys against a local JSON file without hashing, exposing keys in plaintext; and (4) the server's reliance on external authentication middleware from an untrusted path makes it unsuitable for isolated/sandboxed deployment. Permissions are appropriate for the stated purpose (read-only, no network calls, no shell execution), but the authentication architecture has structural weaknesses. Supply chain analysis found 3 known vulnerabilities in dependencies (0 critical, 3 high severity). Package verification found 1 issue.

7 files analyzed · 15 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.