Given the nature of an MCP server that is designed to allow arbitrary code generation and execution, there is a very limited set of vulnerability reports that we will accept. By way of example:

Covered:

✅ A tool can be made to act contrary to its security-relevant annotations.

Not Covered:

❌ execute_code tool can be made to run malicious code via prompt injection in the agent conversation.