DollhouseMCP

# Critical Security Gap Analysis ## Executive Summary **CRITICAL**: The current DollhouseMCP architecture performs ALL security validation on the client side, which can be completely bypassed by modifying the local MCP server code. ## The Problem ### Current State (Vulnerable) ``` User → Local MCP Server → [Local Validation] → GitHub API → Public Repository ↑ ↑ Can modify Can bypass ``` ### Attack Scenario ```typescript // Attacker modifies their local PersonaSharer.ts: async sharePersona(persona: Persona): Promise<ShareResult> { // Comment out all security checks // this.validateContent(persona); // BYPASSED // this.scanForMalicious(persona); // BYPASSED // Directly submit malicious content return this.submitToGitHub(maliciousPayload); } ``` ## Impact Assessment ### High Risk Scenarios 1. **Malicious Code Injection** - Attacker bypasses local validation - Injects malicious prompts/code - Gets published to public marketplace - Affects all users who install 2. **Token Theft** - Embedded token-stealing prompts - Exfiltration instructions - Social engineering attacks 3. **Platform Reputation** - One successful attack damages trust - Media coverage of security breach - User exodus ## Required Architecture (Secure) ``` User → Local MCP → Cloud API Gateway → [Server Validation] → GitHub API → Repository ↑ ↑ Cannot modify Cannot bypass ``` ## Immediate Action Plan ### Week 1: Emergency Measures 1. **Disable Direct GitHub Submission** ```typescript // Temporary measure in PersonaSharer.ts async submitPersona(persona: Persona): Promise<SubmitResult> { throw new Error( 'Direct submission temporarily disabled. ' + 'Please use manual review process: security@dollhousemcp.com' ); } ``` 2. **Implement Manual Review Queue** - Email-based submission - Human review of all content - Temporary but secure ### Week 2-3: Build Cloud API 1. **Minimal Viable API** ```typescript // Simple Express API with validation app.post('/api/v1/personas/submit', authenticate, rateLimit, async (req, res) => { const validation = await validateServerSide(req.body); if (!validation.passed) { return res.status(400).json({ errors: validation.errors }); } // Only after validation passes const result = await submitToGitHub(req.body); return res.json(result); } ); ``` 2. **Deploy to Cloud** - AWS Lambda + API Gateway, or - Heroku, or - Vercel/Netlify Functions ### Week 4: Migration 1. Update MCP server to use API 2. Require API key for submissions 3. Monitor all submissions 4. Gradual rollout ## Cost-Benefit Analysis ### Cost of NOT Fixing - **Reputation**: Irreparable damage from first attack - **Legal**: Potential liability for distributed malware - **Users**: Loss of entire user base - **Time**: Months to recover from incident ### Cost of Fixing - **Development**: 2-4 weeks - **Infrastructure**: ~$200-500/month - **Maintenance**: Ongoing but manageable ## Recommended Immediate Actions ### 1. TODAY: Disable Direct Submission ```typescript // In PersonaSharer.ts - TEMPORARY PATCH if (!process.env.DOLLHOUSE_CLOUD_API_ENABLED) { logger.error('Direct GitHub submission disabled for security'); return { success: false, message: 'Submissions temporarily require manual review. Email: security@dollhousemcp.com' }; } ``` ### 2. THIS WEEK: Communication - Update documentation about temporary submission process - Prepare security advisory (don't mention vulnerability details) - Plan cloud API development ### 3. NEXT 2 WEEKS: Build API - Simple validation API - No fancy features initially - Just secure the submission path ## Alternative: Delay Launch If building the API isn't feasible immediately: 1. **Remove submission features entirely** - Read-only marketplace - No user submissions - Launch as "curated collection" 2. **Manual curation only** - Team adds personas - Community suggests via issues - Slow but secure ## Security Principles Violated 1. **Never Trust the Client** - Current: Trusts local validation - Required: Server validates everything 2. **Defense in Depth** - Current: Single layer (client) - Required: Multiple layers (client + server + monitoring) 3. **Principle of Least Privilege** - Current: Direct GitHub access - Required: Mediated through API ## Conclusion **This is a CRITICAL security issue that MUST be fixed before public launch.** Options: 1. **Best**: Build cloud API (2-4 weeks) 2. **Acceptable**: Disable submissions, launch read-only 3. **Unacceptable**: Launch with current architecture The current architecture is equivalent to having a bank vault where customers can disable the lock from outside. No amount of client-side security can fix this fundamental flaw. **Recommendation**: Pause launch, build API, then launch securely.