Skip to main content

Security Model

ToolStorePy helps you assemble tool servers from external code. That makes trust boundaries explicit and important.

Index trust boundary

Indexes do not execute code directly, but they do point ToolStorePy toward external repositories. A malicious or low-quality index can steer the build toward risky sources, so index provenance still matters.

Repository trust boundary

Matched repositories are cloned before build. They are then scanned with a security scanner before being approved for inclusion.

Scan modes

Two scanners are available. They can be used independently or together.

AST scanner (default)

A static AST-based scanner that flags:

SeverityExamples
HIGHshell execution (os.system, subprocess shell=True), dynamic code execution (eval/exec), unsafe deserialization (pickle.loads, yaml.load), unconditional shell wrappers (subprocess.getoutput)
MEDIUMcapability imports (subprocess, pickle, raw sockets, unsafe XML), dynamic reflection, potential secret logging
LOWHTTP clients, crypto primitives, deprecated modules

If a repository has HIGH findings, ToolStorePy asks you whether to include or skip it. Skipping keeps it out of the final server.

LLM scanner (--llm-scan)

An LLM reads the full source of each repo and makes an autonomous INCLUDE / SKIP decision. The human prompt is bypassed entirely. The LLM can reason about patterns the AST scanner cannot — such as obfuscated logic, suspicious data flows, or unusual combinations of capabilities.

The LLM scanner is model-agnostic via LangChain. Any supported provider works: Claude, GPT, Gemini, Mistral, and others.

When both scanners are active, findings from both are merged into the same report and the LLM decision is final.

User approval boundary

  • AST only: human approves or skips each repo with HIGH findings before the build continues
  • LLM scan: no human prompt — the LLM verdict is final and the build proceeds automatically

Secret boundary

If tool repos ship .env.example files, ToolStorePy merges them into one workspace template and checks your .env for missing keys. Repos excluded by the security scan do not contribute their secrets to the merged file.

Runtime boundary

The generated MCP server is regular Python code assembled from other repositories. ToolStorePy improves visibility and reviewability, but it is not a runtime sandbox.

Practical guidance

  • treat indexes as supply-chain inputs
  • review workspace/security_report.txt after every build
  • prefer curated indexes and known repo sources
  • inspect the generated server before production use
  • use --llm-scan for automated pipelines where a human prompt is not possible
  • avoid running high-risk tools blindly on sensitive machines