mcp-neovim-server

Security Findings (14)

• HighExcessive Permission Surface ×4

  • vim_command:tool declares exec permission
  • vim_window:tool declares exec permission
  • vim_search:tool declares network permission
  • vim_search_replace:tool declares network permission

  Rule: AS-002Fix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.
• MediumExcessive Permission Surface ×6

  • vim_buffer:tool declares fs permission
  • vim_buffer_save:tool declares fs permission
  • vim_file_open:tool declares fs permission
  • vim_grep:tool declares fs permission
  • vim_tab:tool declares fs permission
  • vim_jump:tool declares fs permission

  Rule: AS-002Fix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.
• LowDoS Resilience — Missing Rate Limit / Timeout ×4

  • vim_command:tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration
  • vim_window:tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration
  • vim_search:tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration
  • vim_search_replace:tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration

  Rule: AS-011Fix: Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.