A Model Context Protocol (MCP) server for Polymarket prediction markets, providing real-time market data, prices, and AI-powered analysis tools for Claude Desktop integration.
ATK-TA0001
ATK-TA0002
ATK-TA0003
ATK-TA0004
ATK-TA0005
ATK-TA0006
ATK-TA0007
ATK-TA0008
ATK-TA0009
ATK-TA0011
ATK-TA0010
ATK-TA0040
Critical
High
Medium
Low
The application uses environment variables to store the Polymarket API key. While this is a common practice, the `.env.example` file includes a commented-out example API key, which could lead to accidental commits of actual API keys into version control if developers copy this file to `.env` and forget to remove the example.
The application allows configuring the Polymarket API base URL via the `POLYMARKET_API_BASE_URL` environment variable. While there is a check to ensure the URL starts with `http://` or `https://`, there is no further validation of the URL's format or content. An attacker could potentially inject a malicious URL, leading to data exfiltration or other attacks.
The code does not implement rate limiting on the MCP server endpoints. This could allow an attacker to flood the server with requests, leading to a denial-of-service (DoS) attack.
The `update_readme.py` script updates the README.md file with a list of markdown files in the directory. The script constructs the file list by directly embedding the filename into a markdown link. If an attacker can create a markdown file with a specially crafted filename (e.g., containing markdown code or HTML), this could lead to code injection when the README is rendered.