|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +Security updates are provided for the most recent release of `elnora-plugins`. The marketplace and its plugins are versioned together; we recommend always running the latest tag. |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | --------- | |
| 9 | +| Latest release (`1.x`) | Yes | |
| 10 | +| Older releases | No — please upgrade | |
| 11 | + |
| 12 | +## Reporting a Vulnerability |
| 13 | + |
| 14 | +Please report suspected vulnerabilities privately. Do not open a public issue for security reports. |
| 15 | + |
| 16 | +- **Email:** [security@elnora.ai](mailto:security@elnora.ai) |
| 17 | +- **GitHub:** use [private vulnerability reporting](https://github.com/Elnora-AI/elnora-plugins/security/advisories/new) on this repository |
| 18 | + |
| 19 | +Include the affected version or commit, reproduction steps, and impact. We aim to acknowledge within 3 business days and to provide a remediation timeline after triage. Please give us a reasonable window to release a fix before any public disclosure. We are happy to credit reporters who wish to be named. |
| 20 | + |
| 21 | +## Data Flow, Credentials & Secrets |
| 22 | + |
| 23 | +This repository ships **client-side configuration and Agent Skills only** — it contains no server code and stores no credentials. Understanding what leaves your machine: |
| 24 | + |
| 25 | +- **What it does:** installing a plugin from this marketplace registers the Elnora MCP server (`https://mcp.elnora.ai/mcp`) with your AI tool and copies skill files into that tool's skills directory. When you invoke a skill, your AI client sends requests to the Elnora Platform over HTTPS. |
| 26 | +- **Credentials:** the MCP server authenticates by one of two methods, both handled by your MCP client — never by files in this repo: |
| 27 | + - **OAuth 2.1** (recommended) — a browser popup completes authorization on first connection; tokens are stored and refreshed by your AI client, not this repository. |
| 28 | + - **API key** — a Bearer token passed in the `Authorization` header, generated from your Elnora account settings. Keep it in an environment variable or your client's secret store; never commit it or paste it into skill files, configs, or issues. |
| 29 | +- **What leaves your machine:** the prompts, task content, and files you choose to send to the Elnora Platform, plus your auth token, all over TLS to `mcp.elnora.ai`. The skills in this repo do not exfiltrate data to any other host. |
| 30 | +- **No secrets in the repo:** no API keys, tokens, OAuth client secrets, or personal data are committed to this repository. `.env` and `*.local` files are gitignored. If you find a secret committed to git history, treat it as a vulnerability and report it via the channels above. |
| 31 | + |
| 32 | +Because Agent Skills execute in the context of your AI tool, only install marketplaces and skills you trust, and review skill files before running them in a privileged environment. |
0 commit comments