wyze-mcp-server

The server correctly loads user-specific Wyze credentials (email, password, API key, key ID) from environment variables. Input validation is performed using Zod schemas for all tool parameters, which is a good practice. No 'eval' or direct arbitrary command execution is observed. Password hashing uses triple MD5, which is generally considered weak for new password storage, but in this context, it's likely a requirement to match the expected format of the reverse-engineered Wyze API for login. Several API keys (AUTH_API_KEY, FORD_APP_KEY, FORD_APP_SECRET, OLIVE_SIGNING_SECRET, OLIVE_APP_ID) are hardcoded in `src/constants.ts`. These appear to be client identifiers for the Wyze platform's internal APIs, reverse-engineered from the official Wyze app, rather than user-specific secrets. While hardcoding client identifiers is not ideal, it's less critical than hardcoding user credentials. The disclaimer notes that the implementation is based on reverse-engineered APIs, which introduces inherent fragility and a potential for unexpected behavior or vulnerabilities if Wyze's internal APIs change.