Security: API credentials logged at INFO level during initialization #10
Description
Security Audit Finding (ASF-2026-0868)
Severity: Medium | Confidence: High | Risk Score: 5/100
Description
When API credentials are auto-created on first run (lines 321-323 in src/polymarket_mcp/server.py), the full POLYMARKET_API_KEY and POLYMARKET_PASSPHRASE are logged via logger.info():
logger.info(f"POLYMARKET_API_KEY={polymarket_client.api_creds.api_key}")
logger.info(f"POLYMARKET_PASSPHRASE={polymarket_client.api_creds.api_passphrase}")In containerized or cloud deployments, INFO-level logs are typically shipped to centralized logging systems (CloudWatch, Datadog, ELK, etc.), exposing trading credentials to anyone with log access.
Remediation
- Log only a truncated prefix (e.g., first 8 characters) for identification
- Or write credentials directly to
.envfile instead of logging - At minimum, use
logger.debug()instead oflogger.info()
Audit Details
- Report: AgentAudit #442
- Finding ID: ASF-2026-0868
- Audited commit: d3d2432
- Overall result: safe (5/100)
Automated security audit by AgentAudit