UNPKG

leadmagic-mcp-server

Version:

Model Context Protocol server for LeadMagic API - Complete B2B data enrichment with 19 tools for email finding, profile enrichment, company intelligence, job data, and advertisement tracking

github.com/LeadMagic/leadmagic-mcp

LeadMagic/leadmagic-mcp

229 lines (166 loc) 6.47 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# 🔒 Security Policy ## 🛡️ Supported Versions We actively maintain and provide security updates for the following versions: | Version | Supported | Status | | ------- | ------------------ | ------ | | 1.0.x | ✅ Yes | Active | | < 1.0 | ❌ No | Deprecated | ## 🚨 Reporting a Vulnerability **Please do not report security vulnerabilities through public GitHub issues.** ### 📧 Private Reporting Send security issues directly to: **security@leadmagic.io** Include the following information: - **📋 Description** of the vulnerability - **🔄 Steps to reproduce** the issue - **📊 Impact assessment** (who/what is affected) - **🛠️ Suggested fix** (if you have one) - **🔗 Related files/code** sections - **📧 Your contact information** ### ⏰ Response Timeline - **24 hours**: Initial acknowledgment - **72 hours**: Initial assessment and severity classification - **7 days**: Detailed response with remediation plan - **30 days**: Target resolution for high/critical issues ### 🏆 Security Recognition We appreciate responsible disclosure and will: - **📝 Credit you** in our security advisories (if desired) - **🎁 Provide LeadMagic credits** for valid vulnerabilities - **🏆 Recognition** in our hall of fame ## 🔐 Security Best Practices ### 🔑 API Key Security **✅ Do:** - Store API keys in environment variables - Use `.env` files for local development (never commit them) - Rotate API keys regularly - Use separate keys for different environments - Monitor API key usage in your dashboard **❌ Don't:** - Hardcode API keys in source code - Share API keys in chat/email - Commit `.env` files to version control - Use production keys in development - Log API keys in application logs ### 🌐 Network Security **✅ Recommended:** - Use HTTPS for all API communications - Implement request timeout limits - Use firewall rules to restrict outbound connections - Monitor API usage and rate limits - Implement proper error handling to avoid information leakage ### 📱 Client-Side Security **✅ MCP Client Security:** - Never expose API keys to client-side code - Run MCP server in secure environments only - Use least-privilege access principles - Regularly update MCP client applications - Monitor MCP server logs for suspicious activity ### 🔧 Configuration Security **✅ Secure Configuration:** ```bash # ✅ Good - Environment variable export LEADMAGIC_API_KEY="your-secure-api-key" # ✅ Good - .env file (not committed) LEADMAGIC_API_KEY=your-secure-api-key # ❌ Bad - Hardcoded in code const apiKey = "lm_1234567890abcdef"; // NEVER DO THIS ``` ## 🔍 Security Features ### 🛡️ Built-in Security **Input Validation:** - All inputs validated with Zod schemas - Type-safe TypeScript implementation - Sanitized error messages - Request size limits **Network Security:** - HTTPS-only API communication - Configurable timeout settings - Automatic retry with exponential backoff - User-agent identification **Error Handling:** - No sensitive data in error messages - Sanitized stack traces - Proper HTTP status codes - Logged security events ### 🔐 Data Protection **Data Handling:** - No persistent storage of sensitive data - Minimal data retention - Secure API communication - GDPR compliance considerations **Privacy:** - No personal data logging - Configurable debug levels - Optional request/response logging - Data minimization principles ## 🚫 Known Security Considerations ### ⚠️ Environment Variables **Risk**: API keys in environment variables can be accessed by any process **Mitigation**: - Use secure environment variable management - Restrict process access permissions - Monitor environment variable access ### ⚠️ Network Interception **Risk**: API requests could be intercepted **Mitigation**: - Always use HTTPS (enforced by default) - Implement certificate pinning if needed - Use VPN for sensitive environments ### ⚠️ Rate Limiting **Risk**: API abuse or DoS attacks **Mitigation**: - Built-in rate limiting respect - Configurable timeout settings - Monitor API usage patterns ## 📋 Security Checklist ### 🔧 For Developers - [ ] API keys stored securely (environment variables) - [ ] No sensitive data in logs - [ ] Input validation implemented - [ ] Error handling doesn't leak information - [ ] Dependencies regularly updated - [ ] Security tests included ### 🛠️ For Deployment - [ ] Secure environment configuration - [ ] Network access properly restricted - [ ] Monitoring and alerting configured - [ ] Regular security updates applied - [ ] Access logs monitored - [ ] Backup and recovery plans tested ### 👥 For Users - [ ] API keys rotated regularly - [ ] Usage monitored in dashboard - [ ] Secure development environment - [ ] Latest version installed - [ ] Security advisories subscribed ## 🚨 Incident Response ### 📞 If You Suspect a Security Issue 1. **🛑 Stop**: Don't continue using potentially compromised systems 2. **🔒 Secure**: Rotate API keys immediately 3. **📧 Report**: Contact security@leadmagic.io 4. **📋 Document**: Save logs and evidence 5. **⏰ Monitor**: Watch for unusual activity ### 🔄 Our Response Process 1. **📧 Acknowledgment**: We'll confirm receipt within 24 hours 2. **🔍 Investigation**: Assess impact and scope 3. **🛠️ Mitigation**: Implement immediate fixes 4. **📢 Communication**: Update affected users 5. **📝 Post-mortem**: Document lessons learned ## 📚 Security Resources ### 📖 Documentation - [LeadMagic Security Center](https://leadmagic.io/security) - [API Security Best Practices](https://docs.leadmagic.io/security) - [MCP Security Guidelines](https://modelcontextprotocol.io/security) ### 🛠️ Tools - [API Key Management](https://app.leadmagic.io/dashboard/api-keys) - [Usage Monitoring](https://app.leadmagic.io/dashboard/usage) - [Security Alerts](https://app.leadmagic.io/dashboard/security) ### 📧 Contact - **🚨 Security Issues**: security@leadmagic.io - **💬 General Support**: support@leadmagic.io - **💬 Community**: [Discord](https://discord.gg/leadmagic) ## 🔄 Updates This security policy is reviewed and updated regularly. Check back for the latest security guidance and best practices. **Last Updated**: January 27, 2025 **Version**: 1.0.0 --- **🛡️ Security is a shared responsibility. Thank you for helping keep LeadMagic MCP Server secure!**