baremcp

The server demonstrates strong security practices for an MCP server. It utilizes OAuth Device Flow to prevent API keys from being exposed in chat. Local credentials are encrypted using AES-256-GCM with machine-specific key derivation, and stored with strict file permissions. Webhook URLs are rigorously validated to prevent SSRF, blocking non-HTTPS, localhost, and private IP ranges. Error messages are sanitized to prevent information disclosure (e.g., internal error details, sensitive patterns like 'password'). Browser opening uses safe argument passing to prevent command injection. Requests include timeouts and retry logic with exponential backoff for transient network issues. No obvious hardcoded secrets beyond a salt for local encryption. The PRIVACY.md explicitly states no telemetry or analytics are collected.