Analyzing the pixeltable-mcp SDK implementation revealed a path to Remote Code Execution (RCE) through the MCP tool interface. Several functions exposed to the LLM—specifically add_computed_column, create_view, and create_query—pass raw string inputs directly into Python's eval() and exec() sinks.

# ai-engineering-hub/pixeltable-mcp/base-sdk/tools.py (Line 240)
@mcp.tool()
def create_query(query_name: str, table_name: str, query_function: str) -> str:
    # ...
    func_def = f"""
    @{table.name}.query
    def {query_name}():
        {query_function}
    """
    exec(func_def)

Exploitability is high in the context of autonomous AI agents. Attackers utilizing Prompt Injection can manipulate an agent into invoking these tools with malicious payloads, such as __import__('os').system('...'). Since the code is labeled as a "Base SDK," there is a significant risk that developers will copy this pattern into production-facing systems.

Migrating to Pixeltable's internal expression API or utilizing a restricted parser like ast.literal_eval would mitigate this risk while preserving the intended functionality for the community. Including a security warning in the README for this specific sub-project is also recommended to prevent insecure reuse.