undercover processes source code text and commit messages locally. It does not make network requests, execute code from repositories, or transmit data externally. The MCP server communicates only over stdio with the local agent host.

If you discover a security issue (e.g. a pattern rule that could be exploited to corrupt source files, or a path traversal in a future file-processing feature), please report it privately:

GitHub private vulnerability reporting: https://github.com/anasfik/undercover/security/advisories/new

Please include:

• A description of the issue
• Steps to reproduce
• The version / commit SHA affected

We will respond within 7 days.