If you discover a security vulnerability in MCP Guard itself, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email the maintainers or use GitHub's private vulnerability reporting feature
3. Include steps to reproduce and potential impact

We will respond within 48 hours and work with you on a fix.

MCP Guard is a static analysis tool. It reads files but does not execute MCP servers or connect to external services. The attack surface is limited to:

• Maliciously crafted source files that could exploit the Python AST parser
• Maliciously crafted JSON config files