If you discover a security vulnerability in this repo or in a generated MCP server template, please do not open a public issue.

Report it privately via GitHub Security Advisories. We aim to respond within 3 business days.

For urgent issues you may also email support@verygoodplugins.com.

This repository contains templates, scripts, and CI configurations propagated to ~15 downstream MCP servers. A vulnerability in a template (e.g. an insecure default in a workflow, exposed token in a renderer) can affect every consumer, so please flag those even if they don't apply to this repo on its own.

We follow coordinated disclosure: we'll work with you on a fix and credit you in the release notes if you wish.