Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 13 additions & 5 deletions FAQ.md
Original file line number Diff line number Diff line change
Expand Up @@ -372,22 +372,30 @@ We welcome feedback from users who try Desktop Commander with other MCP clients

## Security & Permissions

> **Important**: For current security limitations and vulnerability reporting, see our [Security Policy](SECURITY.md).

### Is it safe to give Claude access to my file system?

Claude Desktop Commander operates within certain safety boundaries:
Claude Desktop Commander has known security limitations:

- While file restrictions are currently disabled, Claude typically only works with files in folders you specifically direct it to
- Directory restrictions can be bypassed via symlinks and terminal commands
- Command blocking can be bypassed via command substitution and absolute paths
- Claude can only perform actions that your user account has permission to do
- No data is sent to external servers beyond what you share in Claude conversations

> **Note:** Command blocking features are still in development. You should always review the actions Claude proposes before allowing it to make system changes, especially when working with important files or system configurations.
> **For production use requiring security**: Use the [Docker installation](#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) with selective folder mounting for complete isolation from your host system.

Comment on lines +375 to 386

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix broken in-page link (points to FAQ instead of README) and soften isolation claim

The link currently points to a non-existent anchor within FAQ and uses an emoji fragment. Point to README’s stable anchor and avoid “complete isolation”.

-> **Important**: For current security limitations and vulnerability reporting, see our [Security Policy](SECURITY.md).
+> **Important**: For current security limitations and vulnerability reporting, see our [Security Policy](SECURITY.md).
@@
-> **For production use requiring security**: Use the [Docker installation](#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) with selective folder mounting for complete isolation from your host system.
+> **For production use requiring security**: Use the [Docker installation](README.md#docker-installation) with selective folder mounting for a strong isolation boundary from your host system.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
> **Important**: For current security limitations and vulnerability reporting, see our [Security Policy](SECURITY.md).
### Is it safe to give Claude access to my file system?
Claude Desktop Commander operates within certain safety boundaries:
Claude Desktop Commander has known security limitations:
- While file restrictions are currently disabled, Claude typically only works with files in folders you specifically direct it to
- Directory restrictions can be bypassed via symlinks and terminal commands
- Command blocking can be bypassed via command substitution and absolute paths
- Claude can only perform actions that your user account has permission to do
- No data is sent to external servers beyond what you share in Claude conversations
> **Note:** Command blocking features are still in development. You should always review the actions Claude proposes before allowing it to make system changes, especially when working with important files or system configurations.
> **For production use requiring security**: Use the [Docker installation](#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) with selective folder mounting for complete isolation from your host system.
> **Important**: For current security limitations and vulnerability reporting, see our [Security Policy](SECURITY.md).
### Is it safe to give Claude access to my file system?
Claude Desktop Commander has known security limitations:
- Directory restrictions can be bypassed via symlinks and terminal commands
- Command blocking can be bypassed via command substitution and absolute paths
- Claude can only perform actions that your user account has permission to do
> **For production use requiring security**: Use the [Docker installation](README.md#docker-installation) with selective folder mounting for a strong isolation boundary from your host system.
🧰 Tools
🪛 LanguageTool

[grammar] ~385-~385: There might be a mistake here.
Context: ...omplete isolation from your host system. ### Can I control which directories Claude ca...

(QB_NEW_EN)

🤖 Prompt for AI Agents
In FAQ.md around lines 375 to 386, the in-page link currently points to an FAQ
anchor with emoji and should instead point to the README's stable anchor; update
the link to README.md#option-6-docker-installation (remove emoji from fragment)
and replace the phrase "for complete isolation from your host system" with a
softened claim such as "for greater isolation from your host system" (or similar
wording) to avoid the absolute guarantee.

### Can I control which directories Claude can access?

Recent updates have removed path limitations, and work is in progress to add configuration options that will allow you to specify which directories the tool can access. This feature is being developed in [PR #16](https://github.com/wonderwhy-er/ClaudeDesktopCommander/pull/16).
Directory access controls exist but have known bypass vulnerabilities. For secure usage, we recommend the Docker installation which provides complete isolation with controlled folder mounting.

### What commands are blocked by default?

Command blocking exists but can be bypassed through various methods. The current system blocks dangerous commands like `rm`, `sudo`, `format`, etc., but these restrictions can be circumvented.

### How do I report security vulnerabilities?

Please create a [GitHub Issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) with detailed information about any security vulnerabilities you discover. See our [Security Policy](SECURITY.md) for full guidelines.

Comment on lines +396 to +398

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Align vulnerability reporting with private disclosure

Switch to GitHub’s private reporting.

-Please create a [GitHub Issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) with detailed information about any security vulnerabilities you discover. See our [Security Policy](SECURITY.md) for full guidelines.
+Please use GitHub's "Report a vulnerability" in the repository Security tab to submit a private advisory with detailed information. See our [Security Policy](SECURITY.md) for full guidelines.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Please create a [GitHub Issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) with detailed information about any security vulnerabilities you discover. See our [Security Policy](SECURITY.md) for full guidelines.
Please use GitHub’s “Report a vulnerability” in the repository Security tab to submit a private advisory with detailed information. See our [Security Policy](SECURITY.md) for full guidelines.
🤖 Prompt for AI Agents
In FAQ.md around lines 396-398, replace the public "create a GitHub Issue"
instruction with a directive to use GitHub's private security reporting
(repository security advisories) — update the sentence to point readers to the
repo's Security Policy page and to file a private report via the repository's
security contact/advisory flow (e.g. link to /security/policy and
/security/advisories/new) so vulnerabilities are reported privately rather than
as a public issue.

Claude Desktop Commander doesn't have a pre-defined blocklist, but you can use the `block_command` and `unblock_command` functions to manage which commands Claude can execute. It's recommended to block commands that could potentially be destructive, such as `rm -rf` or `format`.

### Why is the fileWriteLineLimit set to 50 by default? What is the maximum value?
Expand Down
13 changes: 11 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -565,9 +565,15 @@ For commands that may take a while:

### ⚠️ Important Security Warnings

1. **Always change configuration in a separate chat window** from where you're doing your actual work. Claude may sometimes attempt to modify configuration settings (like `allowedDirectories`) if it encounters filesystem access restrictions.
> **For comprehensive security information and vulnerability reporting**: See [SECURITY.md](SECURITY.md)

2. **The `allowedDirectories` setting currently only restricts filesystem operations**, not terminal commands. Terminal commands can still access files outside allowed directories. Full terminal sandboxing is on the roadmap.
1. **Known security limitations**: Directory restrictions and command blocking can be bypassed through various methods including symlinks, command substitution, and absolute paths or code execution

2. **Always change configuration in a separate chat window** from where you're doing your actual work. Claude may sometimes attempt to modify configuration settings (like `allowedDirectories`) if it encounters filesystem access restrictions.

3. **The `allowedDirectories` setting currently only restricts filesystem operations**, not terminal commands. Terminal commands can still access files outside allowed directories.

4. **For production security**: Use the [Docker installation](#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) which provides complete isolation from your host system.
Comment on lines +568 to +576

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix invalid self-link anchor and soften isolation language

  • The emoji-based fragment violates MD051; point to a stable custom anchor.
  • Avoid “complete isolation” phrasing; remind users to mount selectively/read‑only.
-4. **For production security**: Use the [Docker installation](#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) which provides complete isolation from your host system.
+4. **For production security**: Use the [Docker installation](#docker-installation) for a strong isolation boundary. Mount only the folders you need (prefer read-only binds) to limit host exposure.

Add a stable anchor right before the “Option 6” heading (outside this hunk):

<a id="docker-installation"></a>
🧰 Tools
🪛 LanguageTool

[grammar] ~576-~576: There might be a mistake here.
Context: ...omplete isolation from your host system. ### Configuration Tools You can manage serve...

(QB_NEW_EN)

🪛 markdownlint-cli2 (0.17.2)

576-576: Link fragments should be valid

(MD051, link-fragments)

🤖 Prompt for AI Agents
In README.md around lines 568 to 576, the self-link uses an emoji-based fragment
that violates MD051 and the text overstates Docker as providing "complete
isolation"; add a stable anchor id just before the "Option 6" heading (e.g.
id="docker-installation"), update the link target in this section to point to
that new "#docker-installation" anchor, and soften the wording by replacing
"complete isolation from your host system" with a recommendation that Docker
provides stronger isolation but users should still selectively mount and prefer
read-only mounts for sensitive data.

💡 Verification agent

🧩 Analysis chain

Verify anchor fixes repo-wide

Run this to ensure the new anchor exists and no emoji-based fragments remain:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Check that explicit Docker anchor exists in README:"
rg -n 'id="docker-installation"' README.md || { echo "Missing explicit anchor id"; exit 1; }

echo "Ensure no outdated emoji fragment links remain:"
if rg -n 'option-6-docker-installation' SECURITY.md README.md FAQ.md; then
  echo "Found outdated fragments above; replace them with '#docker-installation' or 'README.md#docker-installation'"
  exit 1
else
  echo "No outdated fragments found."
fi

echo "References to README.md#docker-installation:"
rg -n 'README\.md#docker-installation' SECURITY.md FAQ.md README.md || true

Length of output: 249


Add explicit Docker installation anchor and replace outdated fragment links

The verification script confirmed that README.md is missing the required <a id="docker-installation"></a> anchor, so all links targeting #docker-installation will break. Please:

  • Insert the anchor immediately before the “Option 6: Docker installation” heading in README.md. For example:
    ## Option 6: Docker installation 🐳 ⭐ – auto-updates, no NodeJS required
    +<a id="docker-installation"></a>
  • Update the link in your security section (currently using the emoji-based fragment) from:
    [Docker installation](#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required)
    to:
    [Docker installation](#docker-installation)
  • Search SECURITY.md and FAQ.md for any remaining option-6-docker-installation references and replace them with either #docker-installation or README.md#docker-installation.

These changes are required to restore correct navigation and ensure the new anchor functions as intended.

🧰 Tools
🪛 LanguageTool

[grammar] ~576-~576: There might be a mistake here.
Context: ...omplete isolation from your host system. ### Configuration Tools You can manage serve...

(QB_NEW_EN)

🪛 markdownlint-cli2 (0.17.2)

576-576: Link fragments should be valid

(MD051, link-fragments)

🤖 Prompt for AI Agents
In README.md around lines 568 to 576, the Docker installation anchor referenced
by links is missing which breaks navigation; insert an explicit anchor tag <a
id="docker-installation"></a> immediately before the "Option 6: Docker
installation" heading, change the security section link from the emoji-based
fragment to [Docker installation](#docker-installation), and then search
SECURITY.md and FAQ.md for any references to "option-6-docker-installation" and
replace them with either "#docker-installation" or
"README.md#docker-installation" as appropriate to restore correct navigation.


### Configuration Tools

Expand Down Expand Up @@ -854,6 +860,9 @@ Yes, when installed through npx or Smithery, Desktop Commander automatically upd
### I'm having trouble installing or using the tool. Where can I get help?
Join our [Discord server](https://discord.gg/kQ27sNnZr7) for community support, check the [GitHub issues](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) for known problems, or review the [full FAQ](FAQ.md) for troubleshooting tips. You can also visit our [website FAQ section](https://desktopcommander.app#faq) for a more user-friendly experience. If you encounter a new issue, please consider [opening a GitHub issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/new) with details about your problem.

### How do I report security vulnerabilities?
Please create a [GitHub Issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) with detailed information about any security vulnerabilities you discover. See our [Security Policy](SECURITY.md) for complete guidelines on responsible disclosure.

Comment on lines +863 to +865

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Align vulnerability reporting with private disclosure

Route users to GitHub’s private advisory flow rather than public issues.

-Please create a [GitHub Issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) with detailed information about any security vulnerabilities you discover. See our [Security Policy](SECURITY.md) for complete guidelines on responsible disclosure.
+Please use GitHub's "Report a vulnerability" flow (Security tab) to submit a private advisory with detailed information. See our [Security Policy](SECURITY.md) for complete guidelines on responsible disclosure.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
### How do I report security vulnerabilities?
Please create a [GitHub Issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) with detailed information about any security vulnerabilities you discover. See our [Security Policy](SECURITY.md) for complete guidelines on responsible disclosure.
### How do I report security vulnerabilities?
Please use GitHub's "Report a vulnerability" flow (Security tab) to submit a private advisory with detailed information. See our [Security Policy](SECURITY.md) for complete guidelines on responsible disclosure.
🤖 Prompt for AI Agents
In README.md around lines 863 to 865, the guidance currently instructs users to
file a public GitHub Issue for security vulnerabilities; change this to direct
reporters to GitHub’s private security advisory flow (or to the repository's
SECURITY.md private disclosure instructions). Update the text and link so it
points to the repository’s private security reporting channel (e.g., "Report
security vulnerabilities via GitHub Security Advisories" or a direct link to the
repo's private advisory/reporting page) and ensure SECURITY.md is referenced for
full disclosure instructions.

## Data Collection & Privacy

Desktop Commander collects limited anonymous telemetry data to help improve the tool. No personal information, file contents, file paths, or command arguments are collected.
Expand Down
40 changes: 40 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Security Policy

## Current Security Approach

Desktop Commander is designed for human users working with AI assistants like Claude. The security restrictions built into the tool are primarily **guardrails to help the AI model** avoid actions the user didn't intend, rather than hardened security boundaries.

**Security is not currently our top priority** - we haven't heard significant demand from users for stronger security controls. We take **user needs seriously**, so if you need better security controls for your specific use case, please contact the team to discuss your requirements.

**For users who need security**: We recommend using Desktop Commander with Docker, which provides complete isolation. See the [Docker installation section](README.md#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) in our README for setup instructions.

Comment on lines +5 to +10

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Avoid absolute “complete isolation” claim and fix invalid README anchor fragment

  • “Complete isolation” is misleading when users mount host folders; prefer “strong isolation boundary” and recommend selective, read-only mounts.
  • The link fragment with emojis is invalid on GitHub (MD051). Switch to a stable custom anchor and reference that.

Apply:

-**For users who need security**: We recommend using Desktop Commander with Docker, which provides complete isolation. See the [Docker installation section](README.md#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) in our README for setup instructions.
+**For users who need security**: We recommend running Desktop Commander in Docker, which provides a strong isolation boundary when used with selective folder mounts. Avoid mounting broad host paths and prefer read-only binds (e.g., `-v /path:/mnt/path:ro`) where possible. See the [Docker installation section](README.md#docker-installation) in our README for setup instructions.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Desktop Commander is designed for human users working with AI assistants like Claude. The security restrictions built into the tool are primarily **guardrails to help the AI model** avoid actions the user didn't intend, rather than hardened security boundaries.
**Security is not currently our top priority** - we haven't heard significant demand from users for stronger security controls. We take **user needs seriously**, so if you need better security controls for your specific use case, please contact the team to discuss your requirements.
**For users who need security**: We recommend using Desktop Commander with Docker, which provides complete isolation. See the [Docker installation section](README.md#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) in our README for setup instructions.
Desktop Commander is designed for human users working with AI assistants like Claude. The security restrictions built into the tool are primarily **guardrails to help the AI model** avoid actions the user didn't intend, rather than hardened security boundaries.
**Security is not currently our top priority** - we haven't heard significant demand from users for stronger security controls. We take **user needs seriously**, so if you need better security controls for your specific use case, please contact the team to discuss your requirements.
**For users who need security**: We recommend running Desktop Commander in Docker, which provides a strong isolation boundary when used with selective folder mounts. Avoid mounting broad host paths and prefer read-only binds (e.g., `-v /path:/mnt/path:ro`) where possible. See the [Docker installation section](README.md#docker-installation) in our README for setup instructions.
🧰 Tools
🪛 LanguageTool

[grammar] ~9-~9: There might be a mistake here.
Context: ...d) in our README for setup instructions. ## Reporting Vulnerabilities 1. **Create a ...

(QB_NEW_EN)

🤖 Prompt for AI Agents
In SECURITY.md around lines 5 to 10, the text currently claims “complete
isolation” and links to an invalid README emoji fragment; change the wording to
avoid absolute claims by replacing “complete isolation” with “a strong isolation
boundary” and add a recommendation to use selective, minimal host mounts and
prefer read-only mounts where possible; also update the link to point to a
stable custom anchor in the README (e.g., README.md#docker-installation) and
ensure the README contains that exact anchor id so the reference is valid on
GitHub.

## Reporting Vulnerabilities

1. **Create a GitHub Issue** with detailed information
2. **Label it as security-related** for visibility
3. **Include technical details** and proof of concept if possible
4. **Request attribution** if you'd like to be credited in any future advisories

We will acknowledge reports and provide context as needed.

Comment on lines +13 to +19

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Use private vulnerability reporting (GitHub Security tab) instead of public issues

Public GitHub Issues for vulns risk 0‑day exposure. Prefer GitHub’s private “Report a vulnerability” workflow.

-1. **Create a GitHub Issue** with detailed information
-2. **Label it as security-related** for visibility  
-3. **Include technical details** and proof of concept if possible
-4. **Request attribution** if you'd like to be credited in any future advisories
-
-We will acknowledge reports and provide context as needed.
+1. **Use GitHub's "Report a vulnerability"** (Security tab) to submit a private advisory
+2. **Include technical details** and a proof of concept if possible
+3. **State desired attribution** if you'd like to be credited in any future advisories
+4. If private reporting is unavailable, contact us on Discord to coordinate a secure channel before disclosure
+
+We will acknowledge reports within 7 days and provide context as needed.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
1. **Create a GitHub Issue** with detailed information
2. **Label it as security-related** for visibility
3. **Include technical details** and proof of concept if possible
4. **Request attribution** if you'd like to be credited in any future advisories
We will acknowledge reports and provide context as needed.
1. **Use GitHub's "Report a vulnerability"** (Security tab) to submit a private advisory
2. **Include technical details** and a proof of concept if possible
3. **State desired attribution** if you'd like to be credited in any future advisories
4. If private reporting is unavailable, contact us on Discord to coordinate a secure channel before disclosure
We will acknowledge reports within 7 days and provide context as needed.
🤖 Prompt for AI Agents
In SECURITY.md around lines 13 to 19, replace the guidance that asks reporters
to "Create a GitHub Issue" with instructions to use GitHub's private
vulnerability reporting channels: instruct reporters to use the repository's
"Security" → "Report a vulnerability" workflow (or the GitHub Security
Advisory/private report flow) or send sensitive reports to the designated
security contact (e.g., security@yourdomain) instead of opening a public issue,
and update the remaining steps to reference the private report flow (labeling,
technical details/PoC, and attribution requests) so that disclosure happens
privately.

## Current Security Limitations

This project has known security limitations:
- Directory restrictions can be bypassed via symlinks and terminal commands
- Command blocking can be bypassed via substitution and absolute paths
- Terminal commands can access files outside `allowedDirectories` restrictions

**For production use requiring security**: Use Docker installation with selective folder mounting for complete isolation. See [Docker installation instructions](README.md#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) for setup details.

Comment on lines +27 to +28

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Repeat: soften “complete isolation” and fix README link fragment

Mirror the earlier phrasing, and switch to the stable anchor.

-**For production use requiring security**: Use Docker installation with selective folder mounting for complete isolation. See [Docker installation instructions](README.md#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) for setup details.
+**For production use requiring security**: Use the Docker installation with selective folder mounting for a strong isolation boundary. See [Docker installation instructions](README.md#docker-installation) for setup details.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
**For production use requiring security**: Use Docker installation with selective folder mounting for complete isolation. See [Docker installation instructions](README.md#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) for setup details.
**For production use requiring security**: Use the Docker installation with selective folder mounting for a strong isolation boundary. See [Docker installation instructions](README.md#docker-installation) for setup details.
🧰 Tools
🪛 LanguageTool

[grammar] ~27-~27: There might be a mistake here.
Context: ...s-no-nodejs-required) for setup details. ## Disclosure Timeline As a startup focused...

(QB_NEW_EN)

🤖 Prompt for AI Agents
In SECURITY.md around lines 27-28, the sentence overstates Docker as providing
"complete isolation" and uses an unstable README fragment; mirror the earlier
softer phrasing (e.g., "for improved isolation" or "for stronger isolation")
instead of "complete isolation" and update the README link to the stable anchor
(replace the current fragment with "#option-6-docker-installation" or the
canonical anchor used elsewhere in the repo) so the sentence reads consistently
and links reliably.

## Disclosure Timeline

As a startup focused on user needs rather than theoretical security concerns, we prioritize issues based on actual user demand. We may not respond immediately to security reports but will address issues that affect real user workflows. We appreciate responsible disclosure and will work with researchers when addressing vulnerabilities aligns with user priorities.

## Contact

- **GitHub Issues**: https://github.com/wonderwhy-er/DesktopCommanderMCP/issues
- **Discord Community**: https://discord.gg/kQ27sNnZr7

---

*Last updated: January 2025*