Skip to content

Commit 9cecb27

Browse files
docs: add security policy (#25)
1 parent 93b4880 commit 9cecb27

1 file changed

Lines changed: 32 additions & 0 deletions

File tree

.github/SECURITY.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
Security updates are provided for the most recent release of `elnora-plugins`. The marketplace and its plugins are versioned together; we recommend always running the latest tag.
6+
7+
| Version | Supported |
8+
| ------- | --------- |
9+
| Latest release (`1.x`) | Yes |
10+
| Older releases | No — please upgrade |
11+
12+
## Reporting a Vulnerability
13+
14+
Please report suspected vulnerabilities privately. Do not open a public issue for security reports.
15+
16+
- **Email:** [security@elnora.ai](mailto:security@elnora.ai)
17+
- **GitHub:** use [private vulnerability reporting](https://github.com/Elnora-AI/elnora-plugins/security/advisories/new) on this repository
18+
19+
Include the affected version or commit, reproduction steps, and impact. We aim to acknowledge within 3 business days and to provide a remediation timeline after triage. Please give us a reasonable window to release a fix before any public disclosure. We are happy to credit reporters who wish to be named.
20+
21+
## Data Flow, Credentials & Secrets
22+
23+
This repository ships **client-side configuration and Agent Skills only** — it contains no server code and stores no credentials. Understanding what leaves your machine:
24+
25+
- **What it does:** installing a plugin from this marketplace registers the Elnora MCP server (`https://mcp.elnora.ai/mcp`) with your AI tool and copies skill files into that tool's skills directory. When you invoke a skill, your AI client sends requests to the Elnora Platform over HTTPS.
26+
- **Credentials:** the MCP server authenticates by one of two methods, both handled by your MCP client — never by files in this repo:
27+
- **OAuth 2.1** (recommended) — a browser popup completes authorization on first connection; tokens are stored and refreshed by your AI client, not this repository.
28+
- **API key** — a Bearer token passed in the `Authorization` header, generated from your Elnora account settings. Keep it in an environment variable or your client's secret store; never commit it or paste it into skill files, configs, or issues.
29+
- **What leaves your machine:** the prompts, task content, and files you choose to send to the Elnora Platform, plus your auth token, all over TLS to `mcp.elnora.ai`. The skills in this repo do not exfiltrate data to any other host.
30+
- **No secrets in the repo:** no API keys, tokens, OAuth client secrets, or personal data are committed to this repository. `.env` and `*.local` files are gitignored. If you find a secret committed to git history, treat it as a vulnerability and report it via the channels above.
31+
32+
Because Agent Skills execute in the context of your AI tool, only install marketplaces and skills you trust, and review skill files before running them in a privileged environment.

0 commit comments

Comments
 (0)