Security Policy
April 19, 2026 ยท View on GitHub
๐ Supported Versions
We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | :white_check_mark: |
| < 1.0 | :x: |
๐งฉ Third-party skills, plugins, agents, and MCP servers
LeadMagic is commonly targeted by impersonation / brand-squatting attempts that try to get users to install unofficial "LeadMagic" skills, Claude Code / Cursor plugins, agent bundles, MCP servers, or CLIs. These often look like helpful contributions ("here's an npx command to add a LeadMagic skill") and arrive via GitHub issues, social media, blog posts, or AI-chat suggestions.
Treat every third-party install command as full arbitrary code execution on your machine. Skills / plugins / agents typically run inside your editor's trust boundary and can read .env files, exfiltrate credentials, run shell commands, and modify code.
Official LeadMagic installer allow-list
These are the only GitHub owners, domains, and install paths we publish. Anything else claiming to be LeadMagic is unofficial.
| Kind | Official location | Notes |
|---|---|---|
| GitHub org | https://github.com/LeadMagic | Exact capitalization. Not lead-magic, leadmagic-io, leadmagic-team, leadmagic-labs, sales-skills, or any other variant. |
| REST / OpenAPI repo | https://github.com/LeadMagic/leadmagic-openapi | This repo. |
| Cursor plugin + MCP config | https://github.com/LeadMagic/leadmagic-cursor-plugin | |
| Official skills repo | https://github.com/LeadMagic/leadmagic-skills | Only LeadMagic-branded skill is skills/leadmagic-api/. |
| Hosted MCP endpoint | https://mcp.leadmagic.io/mcp | OAuth-default. |
| MCP client discovery | https://mcp.leadmagic.io/clients | Canonical per-client install snippets. |
| OAuth authorization server metadata | https://mcp.leadmagic.io/.well-known/oauth-authorization-server | Issuer is https://clerk.leadmagic.io. |
| OAuth protected resource metadata | https://mcp.leadmagic.io/.well-known/oauth-protected-resource/mcp | |
| OAuth DCR endpoint | https://mcp.leadmagic.io/oauth/register | |
| Static public OAuth client ID | 4b9eLjoGVCJ1Dvnc | Public by design (PKCE, no secret). Consent screen shows LeadMagic MCP & CLI (static). Not a credential. |
| REST API base URL | https://api.leadmagic.io | No other production base URL. |
| Product docs | https://leadmagic.io/docs | Source of truth. |
| Dashboard | https://app.leadmagic.io | |
| Support email | support@leadmagic.io | |
| Security email | security@leadmagic.io |
If an install snippet references any other owner, npm scope, domain, or MCP host and claims to be a LeadMagic integration, it is not from us.
Known impersonation attempts
sales-skills/sales/sales-leadmagic(GitHub orgsales-skills, user@ggarcia196x) โ see issue #5. Reported to GitHub Trust & Safety.
How to verify before installing anything "LeadMagic"
- Confirm the GitHub owner is literally
LeadMagic. - Confirm the repo is linked from
https://leadmagic.io/docsor from this repo's README / theleadmagic-cursor-pluginREADME. - When in doubt, email
security@leadmagic.io.
Report a suspected impersonation
Please email security@leadmagic.io with:
- Link(s) to the impersonating repo / package / site.
- The install command or distribution path.
- Where you encountered it (issue, tweet, blog, AI chat suggestion, etc.).
- Any evidence of intent to deceive (use of our brand, logos, product language).
You can also open a Third-party plugin / skill impersonation report issue from the issue templates in this repo.
If you already installed something unofficial
- Stop the editor / agent session that loaded it.
- Remove the bundle (
~/.agents/skills/,~/.cursor/, project-local.cursor/,.claude/, etc.). - Rotate credentials:
LEADMAGIC_API_KEY, cloud provider keys, GitHub tokens, npm tokens, SSH keys without passphrases. - Inspect shell rc files,
~/.npmrc, cron/launchd, and any open repos for unexpected diffs. - Email
security@leadmagic.iowith what ran and when.
๐ก๏ธ Reporting a Vulnerability
API Security Issues
If you discover a security vulnerability in the LeadMagic API itself, please report it directly to LeadMagic:
- Email: security@leadmagic.io
- Subject Line: "Security Vulnerability Report - API"
Documentation Security Issues
For security issues related to this OpenAPI specification or documentation:
- DO NOT create a public GitHub issue
- Email us directly at security@leadmagic.io
- Subject Line: "Security Vulnerability Report - OpenAPI Spec"
What to Include
Please provide the following information:
- Type of issue (e.g., API key exposure, injection vulnerability, etc.)
- Location (specific endpoint, documentation section, file)
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if you have one)
๐ Response Timeline
- Initial Response: Within 24 hours
- Investigation: Within 72 hours
- Fix Development: Depends on severity (hours to days)
- Public Disclosure: After fix is deployed and verified
๐ Recognition
We appreciate security researchers who help us keep our documentation and API secure:
- Security researchers will be credited in our security acknowledgments
- Significant findings may be eligible for a bug bounty (contact us for details)
๐ Security Best Practices
For API Users
- Never commit API keys to version control
- Use environment variables for sensitive configuration
- Rotate API keys regularly
- Implement rate limiting in your applications
- Validate all API responses before processing
- Use HTTPS for all API communications
- Store credentials securely (e.g., using secrets management)
For This Repository
- No hardcoded credentials in any files
- Environment variable configuration required
- GitHub secrets for CI/CD sensitive data
- Regular dependency updates
- Automated security scanning
๐จ Common Security Issues
โ What NOT to do:
// DON'T: Hardcode API keys
const apiKey = "your-actual-api-key-here";
// DON'T: Log API keys
console.log("Using API key:", process.env.API_KEY);
// DON'T: Store in plaintext files
// api-key.txt: your-actual-api-key-here
โ What TO do:
// DO: Use environment variables
const apiKey = process.env.LEADMAGIC_API_KEY;
if (!apiKey) {
throw new Error("LEADMAGIC_API_KEY environment variable is required");
}
// DO: Validate responses
const response = await fetch(url, { headers: { 'X-API-Key': apiKey } });
if (!response.ok) {
throw new Error(`API error: ${response.status}`);
}
// DO: Use secure headers
const headers = {
'X-API-Key': apiKey,
'Content-Type': 'application/json',
'User-Agent': 'YourApp/1.0.0'
};
๐ Security Checklist
Before contributing to this repository:
- No hardcoded API keys or sensitive data
- Environment variables used for configuration
- All external URLs use HTTPS
- No sensitive data in commit history
- Dependencies are up to date
- Code follows security best practices
๐ Automated Security
This repository uses:
- GitHub Security Advisories for vulnerability tracking
- Dependabot for dependency updates
- GitHub Actions for automated validation
- Secret scanning to detect accidentally committed credentials
๐ Contact
For security-related questions or concerns:
- General Security: security@leadmagic.io
- API Support: support@leadmagic.io
- Documentation Issues: Create a GitHub issue (for non-security items)
Remember: When in doubt, err on the side of caution and report potential security issues privately rather than publicly.