| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue in Discord Server Setup MCP, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Email your findings to the repository maintainers (see the repository contact information)
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: We will investigate and assess the vulnerability within 7 days
- Updates: We will keep you informed of our progress
- Resolution: We aim to resolve critical vulnerabilities within 30 days
- Credit: We will credit you in the release notes (unless you prefer anonymity)
This MCP server requires macOS Accessibility permissions to control the Discord application. Users should:
- Only grant Accessibility permissions to trusted applications
- Review which applications have Accessibility access in System Preferences > Privacy & Security > Accessibility
- Revoke permissions when no longer needed
The server executes AppleScript and JavaScript for Automation (JXA) code to control Discord. Security considerations:
- All automation scripts are executed locally on the user's machine
- Scripts only interact with the Discord desktop application
- No data is transmitted to external servers by this MCP server
- Input validation using Zod schemas helps prevent injection attacks
- The server communicates via stdio transport (standard input/output)
- No network ports are opened by the server itself
- Communication is limited to the local MCP client (e.g., Claude Desktop)
All user inputs are validated using Zod schemas before processing:
- Server names, channel names, and role names are sanitized
- Color values are validated against expected formats
- Permission values are validated against allowed Discord permissions
- Keep Dependencies Updated: Regularly run
npm updateto get security patches - Review Permissions: Only grant this tool the minimum necessary permissions
- Audit Usage: Monitor what operations the MCP server performs
- Secure Your Discord Account: Use strong passwords and enable 2FA on Discord
- Local Use Only: This tool is designed for local automation only
The following are considered in-scope for security reports:
- Remote code execution vulnerabilities
- Privilege escalation
- Data exfiltration
- Injection vulnerabilities (AppleScript, JXA)
- Authentication/authorization bypasses
- Sensitive data exposure
The following are out-of-scope:
- Vulnerabilities in Discord itself (report to Discord)
- Vulnerabilities in macOS (report to Apple)
- Social engineering attacks
- Physical access attacks
- Denial of service against local resources
Security updates will be released as patch versions and announced in:
- GitHub Releases
- CHANGELOG.md
Users are encouraged to watch this repository for notifications about security updates.