AI Scratchpad

Overview Schema Related Servers Score Discussions

MIT License

scratchpad

SECURITY.md•2.26 kB

# Security Policy ## Supported Versions | Version | Supported | | ------- | ------------------ | | 1.0.x | :white_check_mark: | ## Security Features ### Input Validation - All text inputs sanitized against injection attacks - Path traversal protection with workspace boundary checks - Enum validation for type and priority fields - Maximum length enforcement on all inputs ### Rate Limiting - 60 requests per minute per process - Token bucket algorithm implementation - Graceful degradation with wait time notifications ### File System Security - Fixed Desktop location (no workspace traversal possible) - File extension restrictions (.md, .txt, .markdown only) - File size limits (1MB max) - Path length limits (256 chars max) - Automatic statistics updates (no user control over counts) ### Error Handling - Sanitized error messages prevent information disclosure - Separate debug logging to stderr - Controlled error propagation ## Reporting a Vulnerability To report a security vulnerability: 1. **DO NOT** create a public GitHub issue 2. Email the maintainer directly with: - Description of the vulnerability - Steps to reproduce - Potential impact - Suggested fix (if any) Expected response time: 48 hours ## Security Best Practices for Users ### 1. Set WORKSPACE_PATH Always specify a workspace path to prevent unauthorized file access: ```bash export WORKSPACE_PATH="/path/to/your/project" ``` ### 2. Monitor Rate Limits If you see rate limit errors, investigate potential abuse or misconfiguration. ### 3. Review Scratchpad Locations Only create scratchpads in approved directories: - `.idea/` - `.vscode/` - `.dart_tool/` - `.cache/` - `docs/` - `.scratchpad/` ### 4. Check Permissions Ensure proper file permissions on scratchpad files and directories. ### 5. Monitor Logs Check stderr for security warnings and operational issues. ## Known Limitations 1. **Rate Limiting Scope**: Per-process, not global across multiple instances 2. **File Locking**: No concurrent write protection (use single instance per workspace) 3. **Encryption**: Scratchpad files stored in plaintext (don't store sensitive data) ## Security Updates Security patches will be released as needed. Check releases for security updates.

Latest Blog Posts

OpenTelemetry for Model Context Protocol (MCP) Analytics and Agent Observability
By Om-Shree-0709 on .
observability
mcp
opentelemetry
Securing Enterprise AI Agents with Unique Identities in the Model Context Protocol (MCP)
By Om-Shree-0709 on .
When Your Year of Work Gets Copied Overnight: What Actually Matters?
By punkpeye on .
startups

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/HenryWork555/scratchpad'

If you have feedback or need assistance with the MCP directory API, please join our Discord server