All /api/* endpoints are completely unauthenticated. Any process on the machine or user on the network can reconfigure the agent, trigger config updates, or stop/start the agent. For an agent managing real wallet credentials and marketplace identity, this is a significant gap.
Severity: Critical
Consider: HTTP Basic Auth, API key header, or at minimum binding to 127.0.0.1 only (see related issue).
All /api/* endpoints are completely unauthenticated. Any process on the machine or user on the network can reconfigure the agent, trigger config updates, or stop/start the agent. For an agent managing real wallet credentials and marketplace identity, this is a significant gap.
Severity: Critical
Consider: HTTP Basic Auth, API key header, or at minimum binding to 127.0.0.1 only (see related issue).