gemini-mcp-server

CRITICAL: The `config.js` file contains hardcoded fallback Google Gemini API keys. If the `GEMINI_API_KEY` environment variable is not set, these exposed keys will be used, posing a severe security risk (e.g., unauthorized access, quota abuse). CRITICAL: Several tools (e.g., Image Analysis, Audio Transcription, Image Editing, Video Analysis, File Upload) take `file_path` as a direct argument and use it in file system operations without sufficient path sanitization or validation for absolute paths. This creates a significant path traversal vulnerability, potentially allowing an attacker to read, write, or delete arbitrary files on the server. Network risks involve outbound calls to Google Gemini and OpenRouter APIs. While these are generally trusted, the lack of robust input validation could allow crafted file content to be processed by AI models in unintended ways.