CamoFox MCP: Unauthenticated HTTP MCP browser-control surface
camofox-mcp exposed a Streamable HTTP MCP endpoint at /mcp with rate limiting but no inbound MCP-layer authentication. When HTTP mode was enabled, any client that could reach /mcp could list and invoke browser-control tools. If CAMOFOX_API_KEY was configured, the server then forwarded that server-side key to the underlying camofox-browser backend. That means an unauthenticated MCP caller could exercise the server's browser authority without knowing the backend browser API key. Reviewed …