Windows-MCP provides powerful automation capabilities that interact directly with your Windows operating system. This document outlines security considerations, best practices, and our commitment to maintaining a secure project.

READ THIS BEFORE DEPLOYING WINDOWS-MCP

Windows-MCP is NOT a sandboxed or isolated tool. It interacts directly with your actual Windows operating system on behalf of the connected LLM agent. This means:

• Real System Actions: Every tool call executes real actions on your physical or virtual Windows machine
• No Safety Net: There is no intermediate layer, simulation, or preview mode
• User Permissions: The MCP server operates on behalf of the user running it

Many operations performed by Windows-MCP CANNOT BE UNDONE:

• File Deletions: Files deleted through PowerShell or UI interactions may be permanently lost
• Data Overwrites: Text typed with clear=True replaces existing content without recovery options
• System Modifications: PowerShell commands can modify registry, services, and system configurations
• Application Actions: Clicking "Delete", "Yes", or "Confirm" buttons has real consequences
• No Undo/Rollback: Unlike text editors or IDEs, most Windows operations don't have an undo feature

DO NOT deploy Windows-MCP on systems where you cannot tolerate the risk of:

• ❌ Accidental data loss or corruption
• ❌ Unintended system configuration changes
• ❌ Exposure of sensitive information through screenshots
• ❌ Execution of malicious commands if the LLM is compromised
• ❌ Compliance violations in regulated environments

Specifically, NEVER deploy on:

• Production servers or workstations
• Systems containing irreplaceable data
• Machines with access to sensitive databases or networks
• Compliance-regulated environments (healthcare, finance, government)
• Shared systems or multi-user environments without explicit consent
• Any system you don't fully control and can't afford to lose

For safer experimentation and usage, strongly consider deploying Windows-MCP in:

✅ Virtual Machines (VMs)

• Use VMware, VirtualBox, Hyper-V, or similar virtualization platforms
• Take snapshots before each session for easy rollback
• Isolate the VM from production networks
• Limit VM access to non-sensitive resources only

✅ Sandboxed Environments

• Windows Sandbox (built into Windows 10/11 Pro/Enterprise)
• Containerized Windows environments
• Dedicated test machines with no production data
• Isolated network segments with restricted access

✅ Dedicated Test Systems

• Separate physical machines used only for testing
• Systems with regular backups and disaster recovery plans
• Machines that can be wiped and rebuilt without consequence

If you must use Windows-MCP on a regular system:

1. Create a Dedicated User Account: Run the MCP server under a restricted user account with minimal permissions
2. Regular Backups: Maintain frequent, verified backups of all important data
3. Network Isolation: Disconnect from production networks or use firewall rules
4. Supervised Operation: Always monitor the agent's actions in real-time
5. Disable High-Risk Tools: Remove or restrict access to PowerShell-Tool and other destructive tools
6. Test First: Thoroughly test workflows in a safe environment before production use

Windows-MCP operates with the same permissions as the user running it. This means:

• Full System Access: The MCP server can perform any action that the current user can perform
• No Sandboxing: Tools execute directly on your Windows system without isolation
• Persistent Changes: Actions taken by the MCP server can permanently modify your system state

Based on our tool annotations, here's the security profile of each tool:

These tools can make permanent changes to your system:

These tools modify system state but are generally safe:

These tools only read information without making changes:

• Use a standard user account, not an administrator account, when possible
• Avoid running Windows-MCP with elevated privileges unless absolutely necessary
• Consider creating a dedicated user account for automation tasks

• Only connect Windows-MCP to trusted MCP clients
• Be cautious when using with third-party or experimental LLM applications
• Review the client application's security practices before integration

• Regularly review logs to understand what actions are being performed
• Be especially vigilant with high-risk tools (Powershell-Tool, Click-Tool, etc.)
• Set up alerts for unexpected or suspicious activity

• When using SSE or HTTP transport modes, ensure proper network isolation
• Use localhost binding (127.0.0.1) instead of 0.0.0.0 when possible
• Implement firewall rules to restrict access to the MCP server ports
• Never expose the MCP server directly to the internet without proper authentication

• Be aware that State-Tool captures screenshots that may contain sensitive information
• Scrape-Tool may fetch content from untrusted websites
• Avoid using Windows-MCP in environments with highly sensitive data
• Consider disabling screenshot functionality (use_vision=False) when handling confidential information

• Review the source code before deployment in production environments
• Audit any custom extensions or modifications
• Keep dependencies up to date to patch known vulnerabilities

• Maintain regular backups before using automation tools
• Test automation workflows in a safe environment first
• Have a recovery plan in case of unintended system changes

• Personal productivity automation on your own machine
• Development and testing environments
• QA automation in isolated test systems
• Controlled demonstrations with supervision

• Shared workstations or multi-user systems
• Systems with access to production data
• Environments with compliance requirements (HIPAA, PCI-DSS, etc.)
• Automated workflows without human oversight

• Production servers or critical infrastructure
• Systems handling highly sensitive data (financial, medical, personal)
• Public-facing systems or kiosks
• Environments where destructive actions cannot be tolerated
• Systems without proper backups

We take security vulnerabilities seriously. If you discover a security issue, please follow responsible disclosure practices:

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues via:

1. Email: Send details to the project maintainers at [email protected]
2. GitHub Security Advisories: Use the GitHub Security Advisory feature (preferred)

Please provide:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested fix (if available)
• Your contact information for follow-up

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity (critical issues prioritized)

We will acknowledge your contribution in the security advisory and release notes (unless you prefer to remain anonymous).

• Watch this repository for security announcements
• Follow @CursorTouch on X for updates
• Join our Discord Community for discussions

• Security patches will be released as soon as possible
• Critical vulnerabilities will be addressed within 7 days
• Users will be notified via GitHub releases and community channels

Windows-MCP relies on several third-party libraries. We:

• Regularly update dependencies to patch known vulnerabilities
• Monitor security advisories for our dependencies
• Use uv for reproducible dependency management

• PyAutoGUI: Mouse and keyboard automation
• UIAutomation: Windows UI interaction
• FastMCP: MCP server framework
• httpx: HTTP client for web scraping

Windows-MCP does not implement comprehensive audit logging by default. For compliance-sensitive environments, consider:

• Implementing custom logging middleware
• Using Windows Event Logging for system-level auditing
• Monitoring file system and registry changes

• Windows-MCP collects basic usage data to help improve the MCP server.
• No personal information, tool arguments, or tool outputs are tracked.
• Telemetry is enabled by default but can be disabled by setting the ANONYMIZED_TELEMETRY environment variable to false in the MCP server configuration.
• Windows-MCP processes commands locally on your machine.
• Screenshots and state captures remain on your local system.
• Web scraping may expose browsing activity to target websites.

All tools include security-relevant annotations:

• readOnlyHint: true if the tool only reads data
• destructiveHint: true if the tool may perform destructive updates
• idempotentHint: true if repeated calls have no additional effect
• openWorldHint: true if the tool interacts with external entities

Refer to main.py for complete tool annotations.

USE AT YOUR OWN RISK

Windows-MCP is provided "as is" without warranty of any kind. The maintainers are not responsible for:

• Data loss or system damage caused by tool usage
• Security breaches resulting from improper configuration
• Actions performed by LLM agents using this MCP server
• Compliance violations in regulated environments

Users are solely responsible for:

• Ensuring appropriate use in their environment
• Implementing necessary security controls
• Complying with applicable laws and regulations
• Monitoring and auditing tool usage

This security policy is part of the Windows-MCP project, licensed under the MIT License. See LICENSE for details.