scrapfly-mcp

The server securely proxies requests to the Scrapfly API, requiring an API key for authentication. It avoids hardcoded secrets for its own operation, relying on environment variables or request parameters for the API key. The `pkg/authenticableClient` package enforces API key validation for incoming HTTP requests to the MCP server endpoint, ensuring that only authenticated users can access the tools. The use of `unsafe` operations in `pkg/mcpex` and `internal/patcher` is noted but common in Go SDKs for interacting with external library internals (specifically, `modelcontextprotocol/go-sdk`), and does not present an immediate vulnerability in this context. User-provided JavaScript (`js`, `js_scenario` parameters) is explicitly designed to be executed on the *remote target website* via the Scrapfly service, not on the MCP server itself, thus mitigating direct server-side code injection risks from these inputs. The `npx mcp-remote` command mentioned in the README is a *client-side utility* to connect to a remote Scrapfly MCP server (or a local instance configured to use `stdio`), not a command to run *this* Go server application.