Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
new URL(`${API_URL}/mcp/api-key`),Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const API_KEY = process.env.MCP_ANALYTICS_API_KEY || "";
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.