No confirmed malicious attack surface. The CLI exposes user-invoked MCP tools for a configured Godot project and local development services.
Static reason
No blocking static signals were detected.
Trigger
User runs breakpoint-mcp and invokes MCP tools.
Impact
Requested tools can modify the configured project or launch configured developer tools, but no covert execution, exfiltration, or persistence is established.
Mechanism
Local Godot bridge/LSP/DAP integration with gated project edits and configured subprocesses.
Rationale
The package is an explicitly launched MCP server for Godot development. Its process execution and project writes are user-invoked, project/configuration-aligned, and confirmation-gated where destructive; source inspection found no concrete malicious chain.
Evidence
package.jsondist/index.jsdist/config.jsdist/stdio.jsdist/tools/assetgen.jsdist/tools/lsp.jsdist/tools/cslsp.jsdist/confirm.jsdist/bridge.jsdist/framing.jsdist/paths.jsdist/tools/cli.js