mcp115

The primary security vulnerability is in the `internal/api/auth.go`'s `handleLogin` function. It uses `internal/api/driver_wrapper.go`'s `Login` method, which is a mock implementation that unconditionally returns success (`return nil`). This means the MCP server's '115.login' API command will grant a valid session to *any* provided username and password, without actually authenticating with the 115 cloud service. This makes the server completely insecure if exposed. Additionally, session information (SessionID, UserID, Username, etc.) is stored in plaintext JSON files on disk (defaulting to './sessions'), posing a significant information leakage risk if the storage directory is compromised or improperly secured. While the README suggests cookie-based login for a CLI tool, the server API directly exposes a username/password login that is broken by design.