Security Policy

April 19, 2026 ยท View on GitHub

๐Ÿ” Supported Versions

We actively maintain and provide security updates for the following versions:

VersionSupported
1.0.x:white_check_mark:
< 1.0:x:

๐Ÿงฉ Third-party skills, plugins, agents, and MCP servers

LeadMagic is commonly targeted by impersonation / brand-squatting attempts that try to get users to install unofficial "LeadMagic" skills, Claude Code / Cursor plugins, agent bundles, MCP servers, or CLIs. These often look like helpful contributions ("here's an npx command to add a LeadMagic skill") and arrive via GitHub issues, social media, blog posts, or AI-chat suggestions.

Treat every third-party install command as full arbitrary code execution on your machine. Skills / plugins / agents typically run inside your editor's trust boundary and can read .env files, exfiltrate credentials, run shell commands, and modify code.

Official LeadMagic installer allow-list

These are the only GitHub owners, domains, and install paths we publish. Anything else claiming to be LeadMagic is unofficial.

KindOfficial locationNotes
GitHub orghttps://github.com/LeadMagicExact capitalization. Not lead-magic, leadmagic-io, leadmagic-team, leadmagic-labs, sales-skills, or any other variant.
REST / OpenAPI repohttps://github.com/LeadMagic/leadmagic-openapiThis repo.
Cursor plugin + MCP confighttps://github.com/LeadMagic/leadmagic-cursor-plugin
Official skills repohttps://github.com/LeadMagic/leadmagic-skillsOnly LeadMagic-branded skill is skills/leadmagic-api/.
Hosted MCP endpointhttps://mcp.leadmagic.io/mcpOAuth-default.
MCP client discoveryhttps://mcp.leadmagic.io/clientsCanonical per-client install snippets.
OAuth authorization server metadatahttps://mcp.leadmagic.io/.well-known/oauth-authorization-serverIssuer is https://clerk.leadmagic.io.
OAuth protected resource metadatahttps://mcp.leadmagic.io/.well-known/oauth-protected-resource/mcp
OAuth DCR endpointhttps://mcp.leadmagic.io/oauth/register
Static public OAuth client ID4b9eLjoGVCJ1DvncPublic by design (PKCE, no secret). Consent screen shows LeadMagic MCP & CLI (static). Not a credential.
REST API base URLhttps://api.leadmagic.ioNo other production base URL.
Product docshttps://leadmagic.io/docsSource of truth.
Dashboardhttps://app.leadmagic.io
Support emailsupport@leadmagic.io
Security emailsecurity@leadmagic.io

If an install snippet references any other owner, npm scope, domain, or MCP host and claims to be a LeadMagic integration, it is not from us.

Known impersonation attempts

  • sales-skills/sales / sales-leadmagic (GitHub org sales-skills, user @ggarcia196x) โ€” see issue #5. Reported to GitHub Trust & Safety.

How to verify before installing anything "LeadMagic"

  1. Confirm the GitHub owner is literally LeadMagic.
  2. Confirm the repo is linked from https://leadmagic.io/docs or from this repo's README / the leadmagic-cursor-plugin README.
  3. When in doubt, email security@leadmagic.io.

Report a suspected impersonation

Please email security@leadmagic.io with:

  • Link(s) to the impersonating repo / package / site.
  • The install command or distribution path.
  • Where you encountered it (issue, tweet, blog, AI chat suggestion, etc.).
  • Any evidence of intent to deceive (use of our brand, logos, product language).

You can also open a Third-party plugin / skill impersonation report issue from the issue templates in this repo.

If you already installed something unofficial

  1. Stop the editor / agent session that loaded it.
  2. Remove the bundle (~/.agents/skills/, ~/.cursor/, project-local .cursor/, .claude/, etc.).
  3. Rotate credentials: LEADMAGIC_API_KEY, cloud provider keys, GitHub tokens, npm tokens, SSH keys without passphrases.
  4. Inspect shell rc files, ~/.npmrc, cron/launchd, and any open repos for unexpected diffs.
  5. Email security@leadmagic.io with what ran and when.

๐Ÿ›ก๏ธ Reporting a Vulnerability

API Security Issues

If you discover a security vulnerability in the LeadMagic API itself, please report it directly to LeadMagic:

Documentation Security Issues

For security issues related to this OpenAPI specification or documentation:

  1. DO NOT create a public GitHub issue
  2. Email us directly at security@leadmagic.io
  3. Subject Line: "Security Vulnerability Report - OpenAPI Spec"

What to Include

Please provide the following information:

  • Type of issue (e.g., API key exposure, injection vulnerability, etc.)
  • Location (specific endpoint, documentation section, file)
  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Suggested fix (if you have one)

๐Ÿš€ Response Timeline

  • Initial Response: Within 24 hours
  • Investigation: Within 72 hours
  • Fix Development: Depends on severity (hours to days)
  • Public Disclosure: After fix is deployed and verified

๐Ÿ† Recognition

We appreciate security researchers who help us keep our documentation and API secure:

  • Security researchers will be credited in our security acknowledgments
  • Significant findings may be eligible for a bug bounty (contact us for details)

๐Ÿ”’ Security Best Practices

For API Users

  1. Never commit API keys to version control
  2. Use environment variables for sensitive configuration
  3. Rotate API keys regularly
  4. Implement rate limiting in your applications
  5. Validate all API responses before processing
  6. Use HTTPS for all API communications
  7. Store credentials securely (e.g., using secrets management)

For This Repository

  1. No hardcoded credentials in any files
  2. Environment variable configuration required
  3. GitHub secrets for CI/CD sensitive data
  4. Regular dependency updates
  5. Automated security scanning

๐Ÿšจ Common Security Issues

โŒ What NOT to do:

// DON'T: Hardcode API keys
const apiKey = "your-actual-api-key-here";

// DON'T: Log API keys
console.log("Using API key:", process.env.API_KEY);

// DON'T: Store in plaintext files
// api-key.txt: your-actual-api-key-here

โœ… What TO do:

// DO: Use environment variables
const apiKey = process.env.LEADMAGIC_API_KEY;
if (!apiKey) {
  throw new Error("LEADMAGIC_API_KEY environment variable is required");
}

// DO: Validate responses
const response = await fetch(url, { headers: { 'X-API-Key': apiKey } });
if (!response.ok) {
  throw new Error(`API error: ${response.status}`);
}

// DO: Use secure headers
const headers = {
  'X-API-Key': apiKey,
  'Content-Type': 'application/json',
  'User-Agent': 'YourApp/1.0.0'
};

๐Ÿ“‹ Security Checklist

Before contributing to this repository:

  • No hardcoded API keys or sensitive data
  • Environment variables used for configuration
  • All external URLs use HTTPS
  • No sensitive data in commit history
  • Dependencies are up to date
  • Code follows security best practices

๐Ÿ” Automated Security

This repository uses:

  • GitHub Security Advisories for vulnerability tracking
  • Dependabot for dependency updates
  • GitHub Actions for automated validation
  • Secret scanning to detect accidentally committed credentials

๐Ÿ“ž Contact

For security-related questions or concerns:


Remember: When in doubt, err on the side of caution and report potential security issues privately rather than publicly.