wdmtech/openrouter-search-mcp
highA Model Context Protocol (MCP) server that provides web search functionality using OpenRouter's online-enabled models.
This MCP server provides web search functionality by sending user queries to OpenRouter's online-enabled models (e.g., GPT-4o, Claude) and returning t...
136private async performSearch(params: SearchParams) {
137 const { query } = params;
138 const model = params.model || DEFAULT_MODEL;
139
140 try {
141 const response = await this.axiosInstance.post('/chat/completions', {
142 model: model,
143 messages: [
144 {
145 role: 'user',
146 content: query
147 }
148 ]
149 });86this.axiosInstance = axios.create({
87 baseURL: 'https://openrouter.ai/api/v1',
88 headers: {
89 'Authorization': `Bearer ${OPENROUTER_API_KEY}`,
90 'Content-Type': 'application/json',
91 'HTTP-Referer': 'https://openrouter-search-mcp.onrender.com',
92 'X-Title': 'MCP OpenRouter Search',
93 },
94 });// Exploitable if an attacker gains access to the server's environment (e.g., via other vulnerabilities like SSRF or RCE).
The OpenRouter API key is included in the Authorization header of every request. While this is standard for API authentication, the key is stored in an environment variable and used directly. If an attacker gains access to the server's environment (e.g., via SSRF or other vulnerabilities), they could extract the key. Additionally, the key is sent over HTTPS, but if the server is compromised, the key could be leaked.
ImpactAn attacker with access to the server's environment or network traffic could obtain the OpenRouter API key, leading to unauthorized usage, financial cost, and potential abuse of the API.
FixUse a secrets manager or secure vault to store the API key. Ensure the server runs with minimal privileges and that environment variables are not exposed in error messages or logs. Consider using short-lived tokens or rotating keys regularly.