We take security issues seriously. If you discover a vulnerability in replicant-mcp, please report it responsibly.

Use GitHub Security Advisories to report vulnerabilities privately. This is the fastest way to reach us and keeps the report confidential until a fix is available.

If you cannot use GitHub Security Advisories, email the maintainers directly at the address listed in the repository's package.json.

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof-of-concept
• The version(s) of replicant-mcp affected
• Any suggested fix, if you have one

We will coordinate disclosure timing with the reporter. If a fix takes longer than 30 days, we will provide status updates.

The following areas are in scope for security reports:

• Command injection via adb-shell tool input (see adb-shell safety model)
• MCP protocol abuse that could bypass tool safety guards or escalate access
• Data exposure through .replicant/ cache artifacts (screenshots, logs, build output)
• Dependency vulnerabilities in replicant-mcp's direct dependencies

The following are not considered replicant-mcp vulnerabilities:

• Vulnerabilities in Android OS itself
• Vulnerabilities in adb or the Android SDK
• Vulnerabilities in apps installed on connected devices
• Issues requiring physical access to the host machine
• Social engineering attacks against users

• We follow coordinated disclosure. Please do not publicly disclose vulnerabilities before a fix is available.
• We will credit reporters in the release notes unless they prefer to remain anonymous.
• We will publish a security advisory on GitHub once a fix is released.