| Version | Supported |
|---|---|
| 1.0.x | ✅ Active support |
| < 1.0 | ❌ Pre-release |
Please report security vulnerabilities to ebowman@boboco.ie
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if any)
- Initial response within 48 hours
- Security patches prioritized for immediate release
- All user inputs are sanitized before AppleScript execution
- Commands are constructed using parameterized templates
- No remote code execution possible (local-only operation)
- Sandboxed within macOS security model
- Things 3 authentication tokens stored locally only
- No network requests to external services
- All Things 3 data remains on your Mac
- MCP server runs locally without internet access
- No telemetry or usage tracking
- Requires Automation permission for Things 3
- No elevated privileges needed
- Follows macOS sandboxing guidelines
- User must explicitly grant permissions
- Store auth tokens in environment variables, not files
- Use
.envfiles for local configuration (never commit) - Regular security audits of AppleScript commands
- Input validation on all MCP tool parameters
- Local-only operation: No cloud dependencies
- Sandboxed execution: AppleScript runs in macOS sandbox
- No persistent storage: Beyond Things 3's own database
- Minimal dependencies: Only FastMCP and Pydantic required
- Type-safe operations: Pydantic validation on all inputs