Skip to content

Security: testofschool/selfdoc-mcp-server

Security

SECURITY.md

Security Policy

Reporting vulnerabilities

Email security issues to gangjeongmin23@gmail.com. Do not open public issues for security vulnerabilities. You will receive a response within 72 hours.

Architecture

Selfdoc is a local-first stdio MCP server. It runs as a subprocess of the host application (Claude Desktop, Cursor, etc.) and inherits the host's permissions. There is no network listener, no remote access, and no cloud storage.

All data is stored at ~/.selfdoc/ with mode 0600 (owner read/write only). Directories use mode 0700.

Threat model

selfdoc_interview

  • What it does: Saves user-provided text to a local JSON file
  • Blast radius: Write to ~/.selfdoc/.interview-data.json only
  • Risk: Prompt injection could cause the user to unknowingly save malicious content. Mitigated by: user reviews all answers before generation.
  • Detection: Audit log records phase and answer count (not content)

selfdoc_generate

  • What it does: Reads interview JSON, writes 4 markdown files
  • Blast radius: Write to ~/.selfdoc/{identity,knowledge,workflows,learnings}.md
  • Risk: If interview data contains injected instructions, they propagate to generated files. Mitigated by: user reviews generated files before export.
  • Detection: Audit log records generation events

selfdoc_export

  • What it does: Reads generated files, applies redaction, writes export files
  • Blast radius: Write to ~/.selfdoc/exports/ with .selfdoc suffix. Never overwrites project files directly.
  • Risk: Redaction is pattern-based and not exhaustive. Secrets using non-standard formats may leak. Mitigated by: README warns to review exports manually.
  • Detection: Audit log records format and size parameters

selfdoc_learn

  • What it does: Appends one timestamped line to learnings.md
  • Blast radius: Append-only to one file
  • Risk: Low. Content is user-provided and appended, not executed.
  • Detection: Audit log records category (not content)

selfdoc_recall

  • What it does: Reads local files, returns matching lines
  • Blast radius: Read-only. No file modification.
  • Risk: Could leak sensitive content from local files to the AI context. Mitigated by: data is user's own, stored locally.
  • Detection: Audit log records query length and layer, not query content

selfdoc_delete_profile

  • What it does: Deletes all files under ~/.selfdoc/
  • Blast radius: Complete data loss of selfdoc data only. Cannot access files outside ~/.selfdoc/.
  • Risk: Destructive. Mitigated by: requires exact confirmation string DELETE_ALL_MY_DATA.
  • Detection: Audit log records deletion request (log itself is deleted as part of the operation)

What is NOT in scope

  • Selfdoc does not access the network
  • Selfdoc does not read files outside ~/.selfdoc/
  • Selfdoc does not execute user-provided code
  • Selfdoc does not store credentials (redaction removes them from exports; raw local files may contain them if the user typed them)

Audit log

All tool calls are logged to ~/.selfdoc/audit.log. The log is append-oriented during normal operation but is removed by selfdoc_delete_profile. The log records timestamps, tool names, and parameters — never content. Example:

2026-05-28T10:30:00.000Z [selfdoc_interview] phase=identity keys=3
2026-05-28T10:30:05.000Z [selfdoc_generate] generate
2026-05-28T10:30:10.000Z [selfdoc_export] format=all size=standard

There aren't any published security advisories