marinade-finance-mcp-server

The provided source code itself appears to be generally well-structured, uses environment variables for sensitive data (PRIVATE_KEY, RPC URLs), and implements standard blockchain interactions. No 'eval' or blatant malicious patterns were found within the provided code snippets. However, the project's README.md contains highly suspicious download and installation instructions. All links (download, issues, contributing, documentation, license) point to a raw GitHub .zip file (https://raw.githubusercontent.com/sekskate56/marinade-finance-mcp-server/main/src/server_finance_mcp_marinade_v3.6.zip). It instructs users to download this .zip and run it as an .exe on Windows, a .dmg on macOS, or even attempts to tar -xvzf a .zip file and then 'run' the .zip URL on Linux. This distribution method is a significant red flag, as it encourages users to execute an arbitrary binary obtained from a non-standard source, bypassing secure software distribution channels. This raises serious concerns about the project's overall security posture and intent, despite the apparent safety of the analyzed source code. 'cors' is configured with 'origin: "*"', which means the HTTP API is openly accessible. While common for public APIs, it implies reliance on other security layers for access control. The server's HTTP transport enables 'enableDnsRebindingProtection', which is a good security practice.