diff --git a/README.md b/README.md
index 7d41fe4e..9e84afdf 100644
--- a/README.md
+++ b/README.md
@@ -170,7 +170,7 @@ while True:
     messages.extend(response)
 ```
 
-In addition to using built-in agent implementations such as `class Assistant`, you can also develop your own agent implemetation by inheriting from `class Agent`.
+In addition to using built-in agent implementations such as `class Assistant`, you can also develop your own agent implementation by inheriting from `class Agent`.
 
 The framework also provides a convenient GUI interface, supporting the rapid deployment of Gradio Demos for Agents.
 For example, in the case above, you can quickly launch a Gradio Demo using the following code:
diff --git a/qwen_agent/gui/gradio_utils.py b/qwen_agent/gui/gradio_utils.py
index 3d599823..693f1df5 100644
--- a/qwen_agent/gui/gradio_utils.py
+++ b/qwen_agent/gui/gradio_utils.py
@@ -13,6 +13,7 @@
 # limitations under the License.
 
 import base64
+import html
 
 
 def covert_image_to_base64(image_path):
@@ -36,6 +37,9 @@ def format_cover_html(bot_name, bot_description, bot_avatar):
         image_src = covert_image_to_base64(bot_avatar)
     else:
         image_src = '//img.alicdn.com/imgextra/i3/O1CN01YPqZFO1YNZerQfSBk_!!6000000003047-0-tps-225-225.jpg'
+    # Escape user input to prevent XSS attacks
+    safe_bot_name = html.escape(bot_name)
+    safe_bot_description = html.escape(bot_description)
     return f"""
 <style>
     body.dark-mode .bot_cover {{
@@ -74,7 +78,7 @@ def format_cover_html(bot_name, bot_description, bot_avatar):
     <div class="bot_avatar">
         <img src="{image_src}" />
     </div>
-    <div class="bot_name">{bot_name}</div>
-    <div class="bot_desp">{bot_description}</div>
+    <div class="bot_name">{safe_bot_name}</div>
+    <div class="bot_desp">{safe_bot_description}</div>
 </div>
 """
diff --git a/qwen_agent/tools/mcp_manager.py b/qwen_agent/tools/mcp_manager.py
index 9920978f..7060b708 100644
--- a/qwen_agent/tools/mcp_manager.py
+++ b/qwen_agent/tools/mcp_manager.py
@@ -30,10 +30,12 @@
 
 class MCPManager:
     _instance = None  # Private class variable to store the unique instance
+    _lock = threading.Lock()  # Class-level lock for thread-safe singleton
 
     def __new__(cls, *args, **kwargs):
-        if cls._instance is None:
-            cls._instance = super(MCPManager, cls).__new__(cls, *args, **kwargs)
+        with cls._lock:
+            if cls._instance is None:
+                cls._instance = super(MCPManager, cls).__new__(cls, *args, **kwargs)
         return cls._instance
 
     def __init__(self):