We take security seriously. The following versions of universal-mcp-toolkit are currently receiving security updates:
| Version | Supported |
|---|---|
| 1.x | ✅ |
If you discover a security vulnerability in universal-mcp-toolkit, please do not open a public GitHub issue. Public disclosure before a fix is in place puts users at risk.
Instead, please report it privately:
Email: open a GitHub Security Advisory via the Security tab, or reach out directly through GitHub.
When reporting, please include:
- A clear description of the vulnerability and the potential impact
- The version(s) affected
- Steps to reproduce or a proof-of-concept (if applicable)
- Any suggested mitigations you may have identified
We will acknowledge your report within 72 hours and aim to release a patch within 14 days of confirmation, depending on severity.
This policy covers:
- The
universal-mcp-toolkitCLI (packages/cli) - The
@universal-mcp-toolkit/coreruntime package (packages/core) - All server packages under
servers/ - CI workflows and build tooling under
.github/
Out of scope:
- Security issues in upstream third-party API providers (GitHub, Notion, Slack, Stripe, etc.) — report those directly to the respective vendor
- Vulnerabilities in
node_modulesdependencies — report those to the maintainers of the affected package via their own security policy
- Never commit
.envfiles. The root.env.exampleis for reference only. - Rotate tokens regularly. All server integrations use API tokens; treat them as secrets.
- Use the
FILESYSTEM_ROOTSvariable to restrict file system access to only the directories your agent needs. - Review
POSTGRESQL_ALLOW_WRITESandREDIS_ALLOW_WRITESbefore enabling them in shared environments. - Run with least-privilege tokens. Use read-only API tokens where write access isn't required.
Once a fix is released, we will:
- Publish a patched version on npm
- Update the
CHANGELOG.mdwith a security notice - Open a GitHub Security Advisory with full disclosure details
- Credit the reporter (with their permission)
Thank you for helping keep universal-mcp-toolkit and its users safe.