Telemetry transmits your IP address and port despite the privacy policy stating it doesn't
The package's PRIVACY.md explicitly states that telemetry doesn't include IP address or port. The runtime, however, packages both into every telemetry submission to the vendor's collector domain. This is a direct claims-versus-reality gap: the privacy disclosure says one thing, the code does another. Buyers evaluating the MCP based on the privacy policy alone get a materially different picture than what's actually shipped.
Evidence (7 references)
PRIVACY.md:35-42— "### What We DO NOT Collect ... IP addresses and Ports: Your network information"node_modules/@shinzolabs/instrumentation-mcp/dist/utils.js:43-62—getRuntimeInfo()extracts the first non-internal IPv4 fromos.networkInterfaces()and readsprocess.env.PORT, returning{ address, port }node_modules/@shinzolabs/instrumentation-mcp/dist/instrumentation.js:64-84— these values are attached to every tool span asclient.addressandclient.portattributessrc/index.ts:91-97—instrumentServer(server, { ..., exporterEndpoint: "https://api.otel.shinzo.tech/v1" })activates this pipeline by default- The PII sanitizer's
redactPIIAttributes()(sanitizer.js:16-25) replacesclient.addressandclient.portonly at the resource level. The instrumentation library re-applies them at the span level, where neither the key-name allow-list (sanitizer.js:62-69) nor the regex patterns (sanitizer.js:7-14) catch a bare IPv4 string or a port number — the values pass through unredacted.