Skip to content

Commit 106a3f7

Browse files
authored
Add security documentation and fix dependency vulnerabilities (#12)
Add comprehensive security considerations section to README.md covering API key isolation, local execution, rate limiting, prompt injection, webhook URLs, and input validation. Note that the server runs locally with no hosted option. Fix 5 npm audit vulnerabilities via dependency updates.
1 parent 353352b commit 106a3f7

2 files changed

Lines changed: 371 additions & 279 deletions

File tree

README.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@
44
## Overview
55
A [Model Context Protocol](https://modelcontextprotocol.io) (MCP) server for [Mailgun](https://mailgun.com), enabling MCP-compatible AI clients to interact with the Mailgun email service.
66

7+
> **Note:** This MCP server runs locally on your machine. Mailgun does not currently offer a hosted version of this server.
8+
79
### Capabilities
810

911
- **Messaging** — Send emails, retrieve stored messages, resend messages
@@ -143,6 +145,36 @@ In your MCP client config, replace the `npx` command with:
143145
"args": ["/path/to/mailgun-mcp-server/src/mailgun-mcp.js"]
144146
```
145147

148+
## Security Considerations
149+
150+
### API key isolation
151+
152+
Your Mailgun API key is passed as an environment variable and is never exposed to the AI model itself — it is only used by the MCP server process to authenticate requests. The server does not log API keys, request parameters, or response data.
153+
154+
### Local execution
155+
156+
The server runs locally on your machine. All communication with the Mailgun API is over HTTPS with TLS certificate validation enforced. No data is sent to third-party services beyond the Mailgun API.
157+
158+
### API key permissions
159+
160+
Use a dedicated Mailgun API key with permissions scoped to only the operations you need. The server exposes read and update operations but does not expose any delete operations, which limits the blast radius of unintended actions.
161+
162+
### Rate limiting
163+
164+
The server does not implement client-side rate limiting. Each tool call from the AI translates directly into a Mailgun API request. The server relies on Mailgun's server-side rate limits to prevent abuse — requests that exceed those limits will return an error to the AI assistant.
165+
166+
### Prompt injection
167+
168+
As with any MCP server, a crafted or adversarial prompt could trick the AI assistant into calling operations you did not intend — for example, modifying tracking settings or reading mailing list members. Review your AI assistant's tool-call confirmations before approving actions, especially in untrusted prompt contexts.
169+
170+
### Webhook URLs
171+
172+
Webhook create and update operations accept arbitrary URLs provided through the AI assistant. The MCP server passes these URLs to the Mailgun API without additional validation. Mailgun is responsible for validating webhook destinations. Ensure your AI assistant does not set webhook URLs to unintended internal or sensitive addresses.
173+
174+
### Input validation
175+
176+
All tool parameters are validated against the Mailgun OpenAPI specification using Zod schemas. However, validation depends on the accuracy of the OpenAPI spec, and some edge-case parameters may fall back to permissive validation. The Mailgun API performs its own server-side validation as an additional layer of protection.
177+
146178
## Debugging
147179

148180
The MCP server communicates over stdio. Refer to the [MCP Debugging Guide](https://modelcontextprotocol.io/docs/tools/debugging) for troubleshooting.

0 commit comments

Comments
 (0)