openapi-to-mcp

The server makes HTTP/HTTPS calls to external APIs based on the provided OpenAPI specification. The primary security risks are: 1. **Untrusted OpenAPI Source**: If the `openapi.location` points to a malicious or untrusted OpenAPI definition, the server could expose dangerous tools to AI agents or make unauthorized calls. 2. **Dev Profile Insecurity**: The `dev` Spring profile in `RestClientConfig` explicitly disables SSL certificate validation and hostname verification. This is a critical vulnerability (Man-in-the-Middle attacks) for any non-development environment where this profile might be accidentally activated. This profile also logs full request/response bodies which could expose sensitive data. 3. **Input Sanitization**: While the server itself doesn't execute arbitrary code, the arguments passed to the `RemoteApiExecutor` are derived from tool calls. Improper handling of these arguments in the OpenAPI definition or the underlying API could lead to injection-like issues.