foundryvtt-mcp-bridge

The module's core function is to establish a WebSocket connection to a user-specified relay server and expose Foundry VTT functionalities (like chat, journal, token data, and operations) over this connection. The API key for authentication is sent as a query parameter in the WebSocket URL, which can be logged by intermediaries or exposed if not using WSS (secure WebSocket). The `journal-page` handler allows powerful operations (create, update, delete, read) on journal entries via WebSocket messages. While internal Foundry IDs are mapped to obfuscated IDs for network transmission (using `encryptUuid`), this is not a security measure against unauthorized access if the API key is compromised. Therefore, the overall security critically depends on the trustworthiness and proper securing of the external WebSocket relay server and the API key. The presence of 'Item Pile' related strings in `en.json` (despite the module's description as an MCP bridge) is a minor inconsistency that could suggest sloppy development, but does not indicate a direct code vulnerability.