Hi,
Reporting a security finding privately. GHSA / private vulnerability reporting isn't enabled on this repo — happy to move to whichever channel you prefer (email, encrypted, security.txt contact).
Class: Cross-AI silent callout — the commit-message generation tool forwards the staged diff to an external LLM (OpenAI / Anthropic / configured provider) and returns the synthesized message as plain text, with no provider / model / ai_generated: true markers on the returned content. The host agent that drives the commit flow cannot distinguish deterministic tool output from second-LLM synthesis — which becomes load-bearing because commit messages are then auto-applied. A poisoned diff hunk (e.g. an attacker-controlled file content or a comment in an otherwise innocent change) can steer the synthesizer to emit a misleading commit message, or, in the worst case, a message that exfiltrates context by encoding it in the message body.
Severity estimate: Medium-High (auto-commit auto-application surface; poisoned diff steers commit-message synthesis — low-friction propagation into git history).
Scope: Static-analysis finding. No live exploitation performed on any deployed instance.
What I need: A channel to send the full writeup with file + line references and a suggested fix (provenance-wrap the returned commit message, label generator: "<provider>:<model>", pass the untrusted diff through a clear [UNTRUSTED_INPUT]...[/UNTRUSTED_INPUT] delimiter, and require an explicit host-agent confirmation step before auto-apply).
Channel: Email to victor.valentine415@gmail.com (CC: seanv415@gmail.com) is fine, or any channel you prefer.
Context: This is part of a larger MCP ecosystem audit (62+ findings across 8 rounds, same vulnerability class). Related disclosures already coordinated with: getzep/graphiti (GHSA-grj2-r92j-f256), perplexityai/modelcontextprotocol (GHSA-r55g-g74v-4m2m), sooperset/mcp-atlassian (GHSA-f4p7-qx46-wc5j), plus direct email to Notion, Jina, and Sentry security inboxes.
Thanks for building this. Happy to coordinate disclosure timing that suits you.
— Sean Valentine
Hi,
Reporting a security finding privately. GHSA / private vulnerability reporting isn't enabled on this repo — happy to move to whichever channel you prefer (email, encrypted, security.txt contact).
Class: Cross-AI silent callout — the commit-message generation tool forwards the staged diff to an external LLM (OpenAI / Anthropic / configured provider) and returns the synthesized message as plain text, with no
provider/model/ai_generated: truemarkers on the returned content. The host agent that drives the commit flow cannot distinguish deterministic tool output from second-LLM synthesis — which becomes load-bearing because commit messages are then auto-applied. A poisoned diff hunk (e.g. an attacker-controlled file content or a comment in an otherwise innocent change) can steer the synthesizer to emit a misleading commit message, or, in the worst case, a message that exfiltrates context by encoding it in the message body.Severity estimate: Medium-High (auto-commit auto-application surface; poisoned diff steers commit-message synthesis — low-friction propagation into git history).
Scope: Static-analysis finding. No live exploitation performed on any deployed instance.
What I need: A channel to send the full writeup with file + line references and a suggested fix (provenance-wrap the returned commit message, label
generator: "<provider>:<model>", pass the untrusted diff through a clear[UNTRUSTED_INPUT]...[/UNTRUSTED_INPUT]delimiter, and require an explicit host-agent confirmation step before auto-apply).Channel: Email to victor.valentine415@gmail.com (CC: seanv415@gmail.com) is fine, or any channel you prefer.
Context: This is part of a larger MCP ecosystem audit (62+ findings across 8 rounds, same vulnerability class). Related disclosures already coordinated with: getzep/graphiti (GHSA-grj2-r92j-f256), perplexityai/modelcontextprotocol (GHSA-r55g-g74v-4m2m), sooperset/mcp-atlassian (GHSA-f4p7-qx46-wc5j), plus direct email to Notion, Jina, and Sentry security inboxes.
Thanks for building this. Happy to coordinate disclosure timing that suits you.
— Sean Valentine