Security: MCP workers_create builds shell command from unsanitized input

[ronmikailov]

Summary
The MCP server in the published npm package ruvector@0.2.12 appears to build a shell command for workers_create using unsanitized user-controlled input.

Affected published artifact

• Package: ruvector@0.2.12
• File: bin/mcp-server.js
• Relevant area: around lines 3056-3063 in the published npm tarball

Why this looks risky
The workers_create MCP tool accepts free-form name, preset, and triggers values. The handler then constructs a command roughly like:

npx agentic-flow@alpha workers create "${name}" --preset ${preset}
... --triggers "${triggers}"

and executes it with execSync(cmd, ...).

Unlike nearby handlers, these values do not appear to be passed through the shared sanitizeShellArg(...) helper before interpolation. That makes this path stand out from the rest of the MCP server as a likely command-injection candidate.

Additional concern
The workers_* MCP handlers also invoke npx agentic-flow@alpha ... at runtime, but agentic-flow is not declared as a dependency of ruvector in the published package. Even aside from the direct injection concern above, that creates a runtime supply-chain/trust dependency on a moving alpha package.

Suggested fix

1. Stop using execSync with shell-interpolated strings for workers_create and similar handlers.
2. Switch to spawn/execFile with an argv array.
3. If shell execution must remain temporarily, apply strict sanitization to name, preset, and triggers before command construction.
4. Consider pinning or vendoring the worker runtime instead of calling npx agentic-flow@alpha dynamically from the MCP server.

Notes

• This report is based on static inspection of the current published npm package, not a live exploit demonstration.
• I did not verify whether the repo source has already diverged from the published artifact.