Pitchlense-mcp

The server demonstrates strong security practices for handling API keys, consistently loading them from environment variables (`os.getenv`) rather than hardcoding. Input validation is present for `startup_text`. There's no evidence of direct `eval` or `exec` on user-provided input. File uploads in the GCP Cloud Function are handled by downloading to the `/tmp` directory, which is standard for temporary serverless storage, and processing relies on LLM-based content extraction rather than arbitrary code execution. LLM prompts include explicit `SECURITY INSTRUCTIONS` to prevent prompt injection and generate professional, unbiased content. The `GoogleContentModerationMCPTool` currently uses a *mock* keyword-based check, which is a functional limitation (not actual Google moderation) but is transparently stated and doesn't introduce a code vulnerability. Network risks are inherent with multiple external API calls (Gemini, Perplexity, SerpAPI), but robust error handling is implemented.