algorand-remote-mcp

CRITICAL VULNERABILITIES: The `sdk_sign_bytes` and `sdk_sign_transaction` tools directly accept raw secret keys (`sk`) or mnemonic phrases as input from the AI agent. This completely bypasses the intended secure key management provided by HashiCorp Vault, allowing a malicious or compromised AI agent to sign arbitrary transactions or data if it is provided with or can infer these secrets. This contradicts the stated goal of secure key management and exposes user funds. MODERATE RISK: The `buildHTMLPage` functions (used by `arc26Manager.ts` and `receiptManager.ts`) do not sanitize all potential inputs (e.g., `from`, `label`, `sender`, `receiver`, `note`) that could originate from the AI agent. If a malicious AI controls these inputs, it could inject Cross-Site Scripting (XSS) attacks into the generated HTML pages, which are then shared with users. HIGH CONFIGURATION RISK: The security relies heavily on the `HCV_WORKER_URL` environment variable pointing to a trusted and securely configured HashiCorp Vault worker. A misconfiguration or compromise of this endpoint could lead to the exfiltration of private keys managed by the Vault worker.