We release patches for security vulnerabilities in the following versions:

We take security seriously. If you discover a security vulnerability in this project, please report it by emailing:

Email: arcaela.reyes@gmail.com

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if any)

• Response time: We aim to respond within 48 hours
• Fix timeline: Critical vulnerabilities will be patched within 7 days
• Disclosure: We follow responsible disclosure practices

When using this MCP server:

1. API Keys: Never commit API keys to version control
2. Environment Variables: Store sensitive data in environment variables
3. Access Control: Limit MCP server access to trusted clients only
4. Updates: Keep dependencies up to date
5. Validation: All inputs are validated using Zod schemas

• API Key Exposure: Ensure OPENAI_API_KEY is not logged or exposed
• File System Access: Tools write to temporary directories (/tmp/mcp-*)
• Network Requests: All requests use HTTPS for OpenAI API
• Input Validation: Zod schemas validate all tool inputs before processing

We regularly update dependencies to patch known vulnerabilities. Run:

npm audit

To check for known vulnerabilities in dependencies.

We appreciate responsible disclosure and will acknowledge reporters in release notes (with permission).

For general security questions: arcaela.reyes@gmail.com

For urgent security issues: Use the same email with subject "URGENT SECURITY"