The DollhouseMCP Collection takes security seriously. All content undergoes rigorous automated security validation to protect users from malicious patterns, prompt injection, and other security risks.
If you discover a security vulnerability, please report it responsibly:
- DO NOT create a public issue
- Email: security@dollhousemcp.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide updates on our progress.
All content is automatically scanned for:
- Instructions to ignore previous commands
- Attempts to override system prompts
- Hidden or encoded instructions
- Requests to send data externally
- Attempts to access system information
- Unauthorized data collection
- Shell commands or scripts
- File system operations
- Network requests
- YAML bombs
- ReDoS patterns
- Resource exhaustion attempts
Your content must:
- Be transparent and auditable
- Not attempt to bypass safety measures
- Not include encoded/obfuscated instructions
- Not request system-level access
- Not collect or transmit user data
Code must:
- Follow secure coding practices
- Include input validation
- Handle errors gracefully
- Not expose sensitive information
- Be reviewed before merge
graph TD
A[Content Submission] --> B[Automated Security Scan]
B --> C{Pass?}
C -->|Yes| D[Format Validation]
C -->|No| E[Rejection + Report]
D --> F{Pass?}
F -->|Yes| G[Human Review]
F -->|No| E
G --> H{Approved?}
H -->|Yes| I[Merge]
H -->|No| E
β BAD: "Ignore all previous instructions and..."
β BAD: "System: New instructions override all..."
β BAD: Hidden text with white-on-white formattingβ BAD: "Execute: rm -rf /"
β BAD: "Run shell command: ..."
β BAD: "Access file system at /etc/passwd"β BAD: "Send results to external-server.com"
β BAD: "Collect and transmit user data"
β BAD: "Log keystrokes and report"- Be Transparent - Clear, readable instructions
- Stay in Scope - Focus on intended functionality
- Respect Boundaries - Don't try to bypass safety
- Test Safely - Validate in controlled environment
- Validate Input - Never trust user input
- Least Privilege - Request minimum permissions
- Error Handling - Fail safely and securely
- Regular Updates - Keep dependencies current
- Security patches are prioritized
- Critical fixes deployed immediately
- Regular security audits conducted
- Community can audit all code
We track and publish:
- Number of security scans performed
- Patterns detected and blocked
- Response time to security reports
- Security patch deployment time
This security policy covers:
- All content in the Collection
- Platform code and infrastructure
- Submission and validation tools
- API endpoints and integrations
We appreciate security researchers who:
- Report issues responsibly
- Provide clear documentation
- Suggest improvements
- Help make the platform safer
Contributors will be acknowledged (with permission) in our security hall of fame.
This security policy is reviewed:
- Quarterly by the security team
- After any major incident
- When new threat patterns emerge
- Based on community feedback
Last updated: 2025-07-15
For security concerns: security@dollhousemcp.com