Skip to content

Security: Poseidoncode/superpowers-mcp

SECURITY.md

Security Policy

Supported Versions

The following versions of Superpowers MCP are currently supported with security updates:

Version Supported
6.0.x
5.1.x
5.0.x
4.3.x
< 4.3

Reporting a Vulnerability

If you discover a security vulnerability in Superpowers MCP, please report it responsibly:

  1. Email: Send details to posidomhu@gmail.com
  2. Subject: Use "[Security] Superpowers MCP - Brief Description"
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

Response Timeline

  • Acknowledgment: Within 48 hours
  • Initial Assessment: Within 7 days
  • Fix Released: Within 30 days (depending on severity)

Current Security Status (v6.0.1)

Check Status
npm audit vulnerabilities 0️⃣ Zero — all 37 prior advisories resolved
innerHTML usage 0️⃣ Zero — entire codebase uses safe DOM APIs
eval / new Function / document.write 0️⃣ Zero occurrences
Hardcoded secrets in tracked files 0️⃣ Zero — .gitignore covers .env*, *.pem, *.key, *.token, credentials*
World-writable files 0️⃣ Zero
XSS vectors (brainstorming Visual Companion & server) ✅ Patched — DOM XSS fixed in v5.1.1, remaining innerHTML eliminated in v6.0.0, reflected server-side XSS fixed in v6.0.1
ReDoS (path-to-regexp) ✅ Patched — upgraded to v8.4.2 in v5.1.1
CORS / Lambda / Set-Cookie (hono) ✅ Patched — upgraded to v4.12.26 in v5.1.2

Security Best Practices

When using Superpowers MCP:

  • Keep the package updated to the latest version (npm update -g superpowers-mcp)
  • Review skill files before execution in sensitive environments
  • Report any suspicious behavior immediately
  • The brainstorming Visual Companion starts a local HTTP server on an ephemeral port — only accessible from localhost

There aren't any published security advisories