prometheus-mcp-server

The server's core function involves making HTTP requests to a user-defined Prometheus URL (`PROMETHEUS_URL`). If `PROMETHEUS_URL` points to an untrusted or internal network location, it could potentially be exploited for Server-Side Request Forgery (SSRF). The `PROMETHEUS_URL_SSL_VERIFY` option allows disabling SSL verification, which is insecure and explicitly warned against in the logs. Authentication credentials (username/password, bearer token) are passed via environment variables, which is standard for containerized applications but requires secure environment management. The `PROMETHEUS_CUSTOM_HEADERS` option allows arbitrary headers as a JSON string; while `json.loads` is generally safe, this could be a point of concern if not handled carefully in specific deployment scenarios. The Docker image runs as a non-root user (`app`), which is a good security practice.