Only the latest minor version of each published package receives security fixes. Update with:
npm install -g ask-gemini-mcp@latest ask-codex-mcp@latest ask-ollama-mcp@latest ask-llm-mcp@latestFor the Claude Code plugin, run /plugin update ask-llm from inside Claude Code.
Please do not open public GitHub issues for security vulnerabilities.
Use GitHub Private Vulnerability Reporting to report privately. We aim to respond within 7 days.
Include in your report:
- Affected package and version (
ask-gemini-mcp,ask-codex-mcp,ask-ollama-mcp,ask-llm-mcp, or@ask-llm/plugin) - A clear description of the issue
- Reproduction steps or proof-of-concept if possible
- Your suggested mitigation if you have one
- Whether you'd like credit in the advisory
The MCP server runs locally as a subprocess of the user's MCP client (Claude Code, Claude Desktop, Cursor, etc.) with the user's privileges. Provider CLIs (gemini, codex) and Ollama are trusted dependencies.
- Command injection via tool arguments (prompt, model, includeDirs, sessionId)
- Path traversal via
@filesyntax or--include-directories - Information disclosure — secrets leaking into logs, error responses, or stderr that is propagated back to the MCP client
- Plugin hooks executing untrusted shell content (the
PreToolUseBash matcher inpackages/claude-plugin/hooks/hooks.json) - Workspace-protocol bundling bugs that could cause unintended code to be installed at
npm installtime (see ADR-052) - Temp file handling — leakage of staged diffs or session content from
/tmp/ask-llm-*files - Insecure defaults in the
commandExecutorspawn options or the resolvedPATH(ADR-047)
- Vulnerabilities in upstream provider CLIs — report to Google (Gemini), OpenAI (Codex), or Ollama directly
- Vulnerabilities in
@modelcontextprotocol/sdk— report to the MCP project - Issues that already require local code execution as the same user the MCP server runs as (the MCP server is not a privilege boundary — it already runs with your full user privileges)
- Vulnerabilities in the user's MCP client (Claude Code, Claude Desktop, etc.)
- Quality-of-output issues with LLM responses (prompt injection from a file the user explicitly asked to read is a usage concern, not a vulnerability in this project)
| Day | Action |
|---|---|
| 0 | Report received via GitHub Private Vulnerability Reporting |
| ≤ 7 | Initial response with severity assessment |
| ≤ 30 | Fix developed, advisory drafted |
| ≤ 90 | Coordinated disclosure and patch release (or earlier if a fix is ready and the issue is being actively exploited) |
Reporters who follow coordinated disclosure are credited in the published GitHub Security Advisory unless they request anonymity.