agentctx is a security and context-auditing tool for AI agent configurations (skills, MCP servers, CLAUDE.md files). A tool that audits other people's supply chains must hold itself to at least the same standard. This document describes how to report vulnerabilities in agentctx, what we consider in scope, and how we triage and disclose.
agentctx is pre-1.0. Only the latest minor release line receives security fixes. Older minors will not be patched; please upgrade.
| Version | Supported |
|---|---|
| Latest 0.x minor | ✅ |
| Older 0.x minors | ❌ |
This applies to all published packages (@agentctx/cli, @agentctx/core).
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Use GitHub's private vulnerability reporting on this repository:
- Go to the repository's Security tab.
- Click Report a vulnerability to open a private advisory draft.
This is the preferred channel — it keeps the report private, supports collaboration on a fix, and produces a CVE-ready advisory on publication.
If you cannot use GitHub Security Advisories, email:
cz.ycaptain@gmail.com
Include in your report, where possible:
- Affected package and version (
agentctx --version) - A description of the vulnerability and its impact
- Steps to reproduce, ideally with a minimal proof-of-concept (e.g. a crafted skill file or MCP config that demonstrates the issue)
- Any suggested remediation
| Stage | Target |
|---|---|
| Acknowledgement of report | within 3 business days |
| Initial assessment & severity | within 7 days |
| Fix or mitigation — Critical | within 14 days of assessment |
| Fix or mitigation — High | within 30 days of assessment |
| Fix or mitigation — Medium | within 60 days of assessment |
| Fix or mitigation — Low | next regular release |
Embargo: We ask reporters to keep details private until a fix is released, with a standard coordinated-disclosure window of 90 days from the initial report. If we cannot ship a fix within the embargo window, we will negotiate an extension with you or agree on public disclosure with mitigations. We will credit reporters in the advisory unless anonymity is requested.
Severity is assessed along two dimensions:
- Impact — what an attacker gains: silent compromise of audited configurations, code execution on the user's machine, integrity loss of audit artifacts, or merely degraded/noisy output.
- Exploitability — how realistic the attack is: triggerable by content agentctx routinely scans (untrusted skills, MCP schemas, third-party configs) ranks higher than issues requiring local access or unusual flags.
The highest combination of the two determines the level. Examples are specific to the agent-context domain:
| Severity | Definition (impact × exploitability) | agent-context examples |
|---|---|---|
| Critical | Defeats agentctx's core security promise, or compromises the user's machine, via content agentctx is designed to scan | Audit bypass — a crafted malicious skill or MCP config that evades agentctx scan detection entirely; arbitrary code execution in the CLI triggered by scanning an untrusted file |
| High | Integrity of security artifacts can be forged or tampered with; significant disclosure or escalation requiring some preconditions | Lockfile forgery — crafting input that passes lockfile verification despite tampering; path traversal letting a scanned config read/write files outside the configured directories |
| Medium | Weakens audit reliability or leaks limited sensitive data, but does not silently defeat detection | Systematic mis-scoring that under-reports a risky MCP server's risk level; scan reports leaking secrets (e.g. env values from MCP configs) into world-readable output |
| Low | Annoyance or noise with no security boundary crossed | False positives in scan rules; crashes (DoS) on malformed input; cosmetic report inaccuracies |
Note on alignment: this impact × exploitability framework is intentionally minimal. The severity model for agentctx's own scan rules (the explainable rule-severity model planned under GAP-12, not yet implemented) will share these same two dimensions, so vulnerability severity in this policy and finding severity in scan output stay directly comparable.
- Scanner/audit bypass: any way for scanned content (skills, MCP schemas, CLAUDE.md, hooks) to evade or subvert detection logic.
- CLI code execution & file-system safety: arbitrary code execution, command injection, or unintended file reads/writes triggered by running
agentctxagainst untrusted input. - Integrity of artifacts: forgery or tampering of lockfiles, scan reports, source maps, or other outputs agentctx produces and that users or CI rely on.
- Spec design flaws: weaknesses in agentctx's own schemas/specs (e.g.
agentctx.json, lockfile format) that enable the above by design rather than by implementation bug. - Supply chain of agentctx itself: compromised or vulnerable behavior in our published packages or release pipeline.
- Malicious third-party skills, MCP servers, or configs themselves. agentctx exists to help detect these; the existence of a malicious skill is not a vulnerability in agentctx. (If agentctx fails to detect one it claims to detect, that is in scope — see audit bypass above.)
- Vulnerabilities in upstream agent platforms (Claude Code, other runtimes, MCP server implementations, model providers). Please report those to the respective vendor — e.g. Anthropic's vulnerability disclosure program for Claude Code — not to us. We're happy to help route a report if you're unsure where it belongs.
- Vulnerabilities in third-party dependencies without a demonstrated exploitable path through agentctx (please report to the dependency maintainer; do tell us if agentctx's usage makes it exploitable).
- Issues requiring a fully compromised local machine or social engineering of the user.
We appreciate the work of security researchers and will acknowledge valid reports in release notes and advisories. There is currently no bug bounty program.