mcp_server

CRITICAL security risks found. The `mcp_demo.py` file hardcodes and heavily obfuscates Microsoft Graph API credentials (client_id, client_secret, tenant_id) directly within the source code. These obfuscated secrets are then decrypted at runtime using `saltdata` and `keydata` passed as tool parameters, which is a highly insecure practice as it means sensitive API keys are present in the codebase and their effective security relies on additional runtime parameters. An OpenWeatherMap API key is also hardcoded in `mcp_demo.py`. Additionally, several network requests across different files (e.g., `requests.get`) are made with `verify=False`, which disables SSL/TLS certificate verification and makes the application vulnerable to Man-in-the-Middle (MITM) attacks. The `decode_jwttoken` tool explicitly disables signature verification, which could lead to misuse if not handled carefully. Despite the presence of `dotenv.load_dotenv()`, critical secrets are not loaded from environment variables but are hardcoded or passed directly as parameters, indicating poor secret management.