Please report security issues privately rather than opening a public issue.

• Open a GitHub security advisory, or
• Email security@vibebrowser.app.

We aim to acknowledge reports within 3 business days and to provide a remediation timeline after triage.

This repository is a thin Codex plugin wrapper. It contains no executable application code and no bundled secrets. It only declares, in .mcp.json, how Codex should launch the published @vibebrowser/mcp server via npx.

• The MCP server runs locally on the user's machine and connects to the user's browser through the Vibe extension and relay.
• No data is sent to this repository or its maintainers at runtime.
• Remote relay connections use wss:// (TLS). The extension UUID in a relay URL identifies a browser session and is not a long-lived secret on its own.

Vulnerabilities in the MCP server itself should be reported against VibeTechnologies/vibe-mcp.