This is an exploit-free disclosure for the public GitHub MCP server docs and adjacent public guidance.
Summary
We reviewed the public tool/schema surface together with the documented host permission boundary and validated sink shape locally without contacting external services or using real secrets. The current public docs can still be read as exposing network and secret-handling sink paths unless the intended trust boundary is stated very explicitly.
Targets covered in this note
- GitHub MCP server docs
- GitHub MCP server blog / public announcement surface
Requested follow-up
- confirm whether the current permission and tool-routing behavior is intended,
- clarify the intended trust boundary in the public docs,
- point reporters to a preferred security channel if a private follow-up would be more appropriate.
This is an exploit-free disclosure for the public GitHub MCP server docs and adjacent public guidance.
Summary
We reviewed the public tool/schema surface together with the documented host permission boundary and validated sink shape locally without contacting external services or using real secrets. The current public docs can still be read as exposing network and secret-handling sink paths unless the intended trust boundary is stated very explicitly.
Targets covered in this note
Requested follow-up