Skip to main content
Glama
bishnubista

Vulnerable Notes MCP Server

by bishnubista
OverviewSchemaRelated ServersScoreDiscussions
TypeScript

export_to_cloud

Export notes from the Vulnerable Notes MCP Server to cloud storage services like Google Drive, Dropbox, OneDrive, or S3 by specifying provider and target folder.

Instructions

Export notes to cloud storage (Google Drive, Dropbox, etc.)

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
providerYesCloud provider
folderNoTarget folder in cloud storage

Implementation Reference

  • src/tools/export.ts:183-214 (handler)
    The handler logic for the export_to_cloud tool, which simulates an upload and demonstrates vulnerabilities related to hardcoded credentials and overly broad OAuth scopes.
    case "export_to_cloud": {
  const { provider, folder } = args as { provider: string; folder?: string };

  // VULNERABILITY: SAFE-T1601 - Using hardcoded API keys
  // VULNERABILITY: SAFE-T1602 - Using overly broad OAuth scopes

  let configInfo = "";

  switch (provider) {
    case "google":
      configInfo = `Using OAuth scopes: ${OAUTH_CONFIG.google.scopes.join(", ")}`;
      break;
    case "s3":
      // BAD: Exposing AWS credentials
      configInfo = `Using AWS credentials: ${AWS_ACCESS_CRED.substring(0, 8)}...`;
      break;
    case "onedrive":
      configInfo = `Using OAuth scopes: ${OAUTH_CONFIG.microsoft.scopes.join(", ")}`;
      break;
    default:
      configInfo = `Provider: ${provider}`;
  }

  // In a real implementation, this would upload to cloud
  // The vulnerability is the exposed credentials and broad scopes
  return {
    content: [{
      type: "text",
      text: `Cloud export initiated.\n${configInfo}\nTarget folder: ${folder || "root"}\n\n[Simulated - actual upload not implemented]`
    }],
  };
}
  • src/tools/export.ts:69-84 (schema)
    Tool definition and schema for export_to_cloud, specifying input parameters and allowed cloud providers.
    {
  name: "export_to_cloud",
  description: "Export notes to cloud storage (Google Drive, Dropbox, etc.)",
  inputSchema: {
    type: "object" as const,
    properties: {
      provider: {
        type: "string",
        description: "Cloud provider",
        enum: ["google", "dropbox", "onedrive", "s3"],
      },
      folder: { type: "string", description: "Target folder in cloud storage" },
    },
    required: ["provider"],
  },
},

Tool Definition Quality

B3.1/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full disclosure burden. It fails to mention critical behavioral aspects: authentication requirements (OAuth/tokens), whether the operation is destructive (overwrites existing files), folder creation behavior if path doesn't exist, rate limits, or return value format (URL, ID, or success boolean).

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficiently structured sentence of seven words. It front-loads the action and resource with zero filler text. Every word earns its place.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (cloud integration with 4 provider options), the description is minimally viable. The input schema is fully documented, but the description omits crucial cloud-specific context like authentication flows and output format. Without an output schema or annotations, the description should disclose what the export operation returns or how to verify success.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 100% schema description coverage, the schema adequately documents parameters. The description adds example provider mappings ('Google Drive' for 'google', 'Dropbox' for 'dropbox') which provides minor semantic value beyond the schema's generic 'Cloud provider' label, but does not elaborate on parameter formats, constraints, or the optional nature of the folder parameter.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description uses a specific verb ('Export') with clear resource ('notes') and destination ('cloud storage'). It implicitly distinguishes from siblings like 'export_to_json' (local file) and 'search_notes' (read-only query) by specifying cloud destination. However, it does not explicitly differentiate from 'export_backup' which may also use cloud storage.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives like 'export_to_json' or 'export_backup'. It lacks prerequisites (e.g., required authentication setup for cloud providers) and does not mention when-not-to-use scenarios or error conditions.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/bishnubista/vulnerable-notes-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server