Summary
A PostHog API key is hardcoded in src/windows_mcp/analytics.py:44.
Impact
Anyone with access to this repository can use this key to send
fake analytics events or access analytics data associated with
this key.
Location
File: src/windows_mcp/analytics.py, line 44
Remediation
- Rotate the exposed key immediately in your PostHog dashboard
- Replace with an environment variable:
os.environ.get("POSTHOG_API_KEY")
- Add
.env to .gitignore
Found with
mcp-bandit v0.1.1 —
security scanner for MCP servers.
Summary
A PostHog API key is hardcoded in
src/windows_mcp/analytics.py:44.Impact
Anyone with access to this repository can use this key to send
fake analytics events or access analytics data associated with
this key.
Location
File:
src/windows_mcp/analytics.py, line 44Remediation
os.environ.get("POSTHOG_API_KEY").envto.gitignoreFound with
mcp-bandit v0.1.1 —
security scanner for MCP servers.