Stealth-AntiCheat-MCP

Critical security risks identified: 1. **Hardcoded Discord Bot Token in Documentation:** The `README.md` explicitly lists a Discord Bot Token example (`DISCORD_BOT_TOKEN=1441878707250791722.GHFGuP.JZJGI3pJDm2iaN2CJHiRUKoyq_kqxIPoh6ADws`). If users copy this directly, their bot will be immediately compromised. 2. **Server-Side Request Forgery (SSRF) Vulnerability:** The `scan_repository` tool (and subsequently `getRepositoryContent`) takes a `repo_url` derived from user-controlled Discord message content. Although a regex filters for `github.com` links, an attacker could potentially craft a malicious URL (e.g., using domain squatting or DNS rebind attacks) to trigger `axios.get` requests to internal network resources or arbitrary external endpoints, leading to information leakage or denial-of-service. 3. **Lack of Role-Based Access Control:** Discord bot commands handled via mentions (`@Stealth-AntiCheatX analyze [code]`) appear to lack granular access control. Any user in a monitored channel could potentially invoke these analysis or monitoring commands, which could be abused for resource exhaustion or unintended actions. 4. **Disabled MiniMax Integration:** The `minimax-mcp-js` client is commented out and conditionally disabled (`if (false && this.minimaxClient)`), indicating that some described AI functionalities are not active.