Kolada-MCP

CRITICAL: The server is explicitly configured for 'Open Access' (no authentication) by default, as stated in its startup logs and `http-server.ts`. While the data it proxies from Kolada API is open, running a publicly accessible proxy without authentication poses a significant security risk. It could lead to abuse, resource exhaustion, or denial-of-service attacks against the deployed instance. Although an `MCP_AUTH_TOKEN` environment variable is defined in `render.yaml`, it is not active or enforced by default in the server's core logic. Commendable security practices include robust input validation via Zod, explicit `readOnlyHint` and `destructiveHint: false` for all tools, client-side rate limiting and retry logic for the upstream API, and the use of static analysis tools (CodeQL, GitGuardian, TruffleHog, Bearer SAST, Dependabot, npm audit) as indicated in `SECURITY.md`.