golf-testing

The project is a testing framework that connects to and tests external MCP servers. It uses environment variables for API keys (e.g., ANTHROPIC_API_KEY, OPENAI_API_KEY) and can be configured to run local servers via `stdio` transport, executing arbitrary commands specified in user configuration. While this provides powerful testing capabilities, it introduces a risk if configured with untrusted commands. The OAuth callback mechanism starts a local HTTP server, which is standard for OAuth flows but should be noted. The `security_tester` module explicitly crafts malicious payloads to test target servers, but this is a function of the tool, not a vulnerability within it. Overall, the tool itself appears to follow good security practices for its operations, with the primary security considerations revolving around the integrity of user-provided configurations and the trust placed in the target MCP servers.