ghost-mcp-server

The core server and client code adhere to standard security practices for API interaction, utilizing API keys passed via environment variables or command-line arguments for authentication. Responses containing large lists of findings are intelligently truncated to prevent excessive token usage by AI models, which is a good reliability and cost-control measure. No direct use of 'eval' or other dynamic code execution that could lead to runtime injection vulnerabilities was observed. Installation scripts (e.g., `install.js`, `setup-claude-code.sh`) use `execSync` for system commands and directly embed user-provided API keys into JSON configuration files. While this is a common installer pattern, it carries a minor, theoretical risk if a maliciously crafted API key were to bypass string escaping during setup. This is a setup-time, not runtime, consideration, and assumes the user trusts the installer script itself.