temps-mcp-setup

The integration instructions are functionally coherent but present notable supply-chain and credential-exposure risks. The main issues are recommending unpinned runtime execution via npx -y and advising storing the TEMPS_API_KEY in plaintext client JSON files. There is no direct evidence of active malware in the provided text, but the recommended workflow makes credential exfiltration feasible if the @temps-sdk/mcp package or its dependencies are compromised. Recommended mitigations: pin package versions (npx @temps-sdk/mcp@x.y.z), verify checksums or signatures when possible, use short-lived least-privilege API keys, avoid storing secrets in plaintext config (use OS keychain or inject at runtime), and prefer installing and auditing the package before use or running it in an isolated runtime.