Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

🛡️ Making MCP Server Safer#1377

Nov 10, 2025· 1 comments· 2 replies
Discussion options

Hello from the github-mcp-server maintainers! ❤️

We’re working on two important initiatives to makegithub-mcp-server more secure and predictable when integrating with LLMs:

🔒 1. Content Filtering

We’re introducing a regex-based content filtering layer that sanitises all user-generated text before it’s passed to the LLM.
This layer uses carefully designed regular expressions to detect and remove hidden or malicious content - such as invisible Unicode characters or hidden HTML attributes - that could otherwise alter model behavior.

🧰 What’s in scope

Filtering will apply to all text responses produced by tools.

🧱 Planned filters

We’re implementing a multi-stage filter pipeline:

  • ✅ remove invisible Unicode characters
  • ✅ allow only safe HTML tags/attributes
  • ✅ restrict allowed url schemes to HTTP and HTTPS
  • 🔄 introduce a configurable lockdown mode to ensure only content from users with push access to the repository is returned.

🌍 2. Expanding openWorldHint Coverage

We’re also expanding the use of theopenWorldHint annotation across more tools.
This flag indicates whether a tool interacts with external systems or data sources — making tool behavior more transparent and predictable for both developers and LLMs.
This will help downstream clients better reason about trust boundaries and decide when user consent or isolation may be needed.

🚀 What’s Next

Both efforts are in progress — content filtering is being rolled out incrementally, and the openWorldHint expansion will follow shortly.

Related PRs

  • removal of invisible Unicode characters#1344)
  • allow only safe HTML tags/attributes#1356)
  • lockdown mode#1371

💬 Questions, feedback, or implementation ideas? Drop them below — we’d love to hear your thoughts!

You must be logged in to vote

Replies: 1 comment 2 replies

Comment options

Hi, really nice on the works regarding this new system. I have some questions tho:

  1. Will there be a configurable whitelist/blacklist system so projects can customize filtering rules per use case?
  2. How are false positives handled - could users get visibility into what was removed?
  3. How will openWorldHint be exposed - as metadata in the tool manifest, or in responses? Could this be surfaced via the MCP protocol spec itself?

Thanks a lot for this!

You must be logged in to vote
2 replies
@JoannaaKL
Comment options

JoannaaKLNov 11, 2025
Maintainer Author

Hey@khuynh22 👋 Thanks a lot for the thoughtful questions — really appreciate the interest!

  1. A configurable whitelist/blacklist system is definitely on our radar.
  2. In cases where we detect potentially dangerous content, we don’t expose the removed output to the user for safety reasons. At the moment, the system silently filters out malicious data, but we’re exploring ways to surface an explicit error instead.
  3. OpenWorldHint is a per-tool annotation. We’re usingmark3labs/mcp-go, which defines the available annotations — including openWorldHint.

If you have other suggestions or ideas, please feel free to share them — we’d love to hear your thoughts!

@khuynh22
Comment options

Thank you so much for the quick answer! I'll stay tuned for more updates. Nice work!

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
2 participants
@JoannaaKL@khuynh22
[8]ページ先頭
©2009-2025 Movatter.jp