tradingview-mcp

The source code itself appears generally safe. It does not use 'eval' or other highly dangerous patterns. Secrets (`TRADINGVIEW_SESSION_ID`, `TRADINGVIEW_SESSION_ID_SIGN`) are correctly loaded from environment variables, which is good practice. It uses Playwright in headless mode for browser automation, a standard library. Communication is via standard I/O (stdio), reducing network attack surface. A minor concern is Playwright's use of `--no-sandbox`, which is common for browser automation but can slightly reduce isolation if the host environment is not secure. CRITICAL NOTE: The README contains highly problematic installation instructions, suggesting to `python https://raw.githubusercontent.com/viney-123/tradingview-mcp/main/src/tradingview_mcp/tradingview-mcp_1.1.zip`. Running arbitrary Python code directly from a URL, especially a zip file from a raw GitHub link, is a severe security risk and should be avoided. Users should install via standard Python package managers (e.g., pip) or clone the repository and run the script locally.