lanhu-mcp

The server uses `LANHU_COOKIE` for authentication with Lanhu, which is a sensitive credential. While the project correctly advises storing this in environment variables and provides clear guides on securing it (`.env` file permissions, not committing to Git, regular rotation), user negligence in handling this cookie or exposing the server externally without proper network security (e.g., firewalls, HTTPS for production) could lead to risks. The project explicitly states that `0.0.0.0` is the default host and advises securing it. Input validation for `search_regex` is done via `re.compile`, which could be a ReDoS vector if not properly sanitized, though it operates on internal message content. File system operations are confined to the `./data` directory. No arbitrary code execution from user input or malicious patterns were found. The presence of `SECURITY.md` and detailed deployment best practices demonstrates a proactive security posture.