MoebiusX/otel-mcp-server
highOpenTelemetry MCP Server — expose traces, metrics, logs, and ZK proofs to AI agents via the Model Context Protocol
MCP server (purpose undetermined)
151httpServer.listen(port, () => {
152 console.error(`✓ otel-mcp-server v${VERSION} listening on http://0.0.0.0:${port}`);
153 console.error(` Health: http://localhost:${port}/health`);
154 console.error(` Metrics: http://localhost:${port}/metrics`);// Network-exposed MCP server; exploitable by any network attacker.
When --http is used, the server listens on 0.0.0.0 (all network interfaces) and authentication is optional. If MCP_AUTH_KEYS is not set, the server is completely open to the network, exposing all MCP tools to any client that can reach the port.
ImpactAn attacker on the network can call any MCP tool (e.g., query telemetry data, execute backend commands) without authentication, leading to data exfiltration or further exploitation.
FixBind to 127.0.0.1 by default or require authentication when listening on non-localhost. Add a warning and require explicit flag to bind to 0.0.0.0.
66if (req.method === 'GET' && req.url === '/health') {
67 res.writeHead(200, { 'Content-Type': 'application/json' });
68 res.end(JSON.stringify({
69 status: 'ok',
70 server: 'otel-mcp-server',
71 version: VERSION,
72 auth: authEnabled ? 'enabled' : 'disabled',
73 skills: allSkills
74 .filter(s => enabledIds.has(s.id))
75 .map(s => ({ id: s.id, available: s.isAvailable(), tools: s.tools })),
76 }));
77 return;
78}
79
80if (req.method === 'GET' && req.url === '/metrics') {
81 res.writeHead(200, {
82 'Content-Type': 'text/plain; version=0.0.4; charset=utf-8',
83 });
84 res.end(serializeMetrics());
85 return;
86}// Network-exposed MCP server; exploitable by any network attacker.
The /health and /metrics endpoints are handled before authentication checks, so they are always accessible without any credentials. The health endpoint leaks information about enabled skills and their availability, which could aid an attacker in reconnaissance.
ImpactAn unauthenticated attacker can enumerate available skills and their tool counts, gaining insight into the server's capabilities. The /metrics endpoint may expose operational data.
FixMove authentication checks before these endpoints, or at least restrict /health and /metrics to localhost or require authentication.
36for (const skill of allSkills) {
37 if (enabledIds.has(skill.id) && skill.isAvailable()) {
38 skill.register(server, helpers);
39 registered.push(skill);
40 }
41}// Network-exposed MCP server; exploitable by any client that can call tools.
The server registers skills as MCP tools without any input validation layer. Each skill's tool handlers receive arguments directly from the MCP client. If any skill accepts arbitrary paths, URLs, or commands, there is no server-level sanitization.
ImpactDepending on the skill implementation, an attacker could perform path traversal, SSRF, or command injection if the skill does not validate inputs. This finding highlights the lack of a centralized validation boundary.
FixImplement input validation middleware for all tool arguments, or ensure each skill validates its own inputs. Consider using a schema validation library.
46const clientKeys = loadClientKeys();
47const authEnabled = clientKeys.length > 0;
48
49if (!authEnabled) {
50 console.error(' Auth: ⚠ No client keys configured — HTTP server is OPEN');
51 console.error(' Set MCP_AUTH_KEYS env or mount auth-keys.json');
52}// Network-exposed MCP server; requires access to server logs or process environment.
The server logs a warning when no client keys are configured, but does not log the keys themselves. However, if loadClientKeys() throws an error that includes key material, it could be logged. Additionally, the environment variable MCP_AUTH_KEYS may be exposed in process listings or logs if not handled carefully.
ImpactLow risk; keys are not directly logged, but environment variables could be leaked through other means (e.g., crash reports, debug logs).
FixEnsure loadClientKeys() does not include key material in error messages. Consider using a secrets manager or file-based keys with restricted permissions.