Is bitbrujo/cherry-mcp safe?

https://github.com/openclaw/skills/tree/main/skills/bitbrujo/cherry-mcp

78
CAUTION

Cherry MCP is a legitimate MCP-to-HTTP bridge utility with no malicious code, no credential-harvesting logic, and no injection attempts in SKILL.md. The install process was clean — only a git clone to GitHub occurred, no npm install hooks ran, and no canary files were compromised. The primary concerns are architectural: a CORS wildcard header allows browser-based invocation of all MCP tools from any webpage, no authentication is enabled by default, and API keys are stored in plaintext in config.json; these risks are real but only activate when the user explicitly starts the bridge.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH CORS Wildcard Enables Browser-Based MCP Tool Invocation -25

bridge.js sets 'Access-Control-Allow-Origin: *' on all responses including the /call endpoint. Even though the server binds to 127.0.0.1, any webpage the user visits can make cross-origin fetch/XHR requests to http://localhost:3456//call and invoke any configured MCP tool. This can exfiltrate data processed by MCP tools (e.g., file contents, search results) to attacker-controlled infrastructure via the browser.

MEDIUM MCP Child Processes Inherit Full Shell Environment -10

MCPServer.start() spawns child processes with env: { ...process.env, ...env }, merging the entire agent process environment into the child. Any API tokens, cloud credentials, or secrets present in the shell environment at start time flow into every MCP server process, even those that don't need them.

MEDIUM API Keys Stored in Plaintext in config.json -5

The set-env CLI command writes API keys directly to config.json as plaintext strings. Any process with read access to the skill directory — including other skills or compromised tools — can read all stored credentials. The SKILL.md acknowledges this risk but does not enforce safer alternatives.

MEDIUM No Authentication on HTTP API by Default -20

The bridge exposes a full tool-invocation API on localhost:3456 with no authentication. Default config.json ships with an empty security object (no rateLimit, no allowedIps, no auditLog). A user who starts the bridge without explicitly configuring security gets an open, unauthenticated API for all registered MCP tools.

LOW Command Execution Gated Only by config.json Contents -8

bridge.js executes whatever command is stored in config.json via Node's spawn(). If another skill or agent action can write to config.json (it has no integrity protection), an attacker could register a malicious command that runs with the user's full environment on the next bridge restart.

LOW Install Connects Only to GitHub — Expected Behavior 0

The only external network connection during install was a TLS connection to 140.82.121.4:443, which is github.com, for the sparse git clone of the openclaw/skills monorepo. No secondary connections, no telemetry, no payload download.

INFO Canary File Accesses Attributed to Monitoring Infrastructure 0

Open/access events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json appear at timestamps before the git clone and in a post-install sweep. No skill processes were executing at these times; these events originate from the monitoring system itself.