ctfd-mcp-server

The internal FastAPI backend (`server/main.py`) hardcodes the target CTFd instance to `https://demo.ctfd.io`, overriding all environment variables (`CTFD_BASE_URL` or `BASE_URL`) and user input through the `/set_base_url` endpoint. This creates a severe functional limitation and a potential security risk, as users attempting to connect to a private CTFd instance would unknowingly send credentials to `demo.ctfd.io`. Additionally, the project's internal communication is flawed: `ctfd_mcp_server.py` (the MCP interface, likely running on default FastAPI port 8000) attempts to call a backend at `http://127.0.0.1:8000`, which could result in a self-referential loop or connection failure since the actual backend (`server/main.py`) defaults to port `9999`. Authentication tokens, cookies, username, and password are saved unencrypted in `server_state.json`, which could be a risk if the server's file system is compromised.