From 8d47596825a4d58183f062990134f2143ef410b3 Mon Sep 17 00:00:00 2001
From: CharmingGroot <ohyes9711@gmail.com>
Date: Wed, 24 Jun 2026 17:21:27 +0900
Subject: [PATCH] docs(mcp): document HTTP transport trust model

The HTTP transport ships without authentication. Callers that bind to a
routable interface should sit the server behind an authenticating proxy.
Documents this constraint in the README security callout.

Closes #191

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: CharmingGroot <ohyes9711@gmail.com>
---
 README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README.md b/README.md
index 0da5bdd..ab4589c 100644
--- a/README.md
+++ b/README.md
@@ -254,6 +254,18 @@ Register it with Claude Code via:
 claude mcp add skillspector -- skillspector mcp
 ```
 
+> **Security — HTTP transport trust model**
+>
+> The HTTP transport ships **without authentication**. Any caller that can
+> reach the port can invoke `scan_skill`. Over stdio or `127.0.0.1` this is
+> the same trust boundary as the CLI. If you bind to a routable interface:
+>
+> - Sit the server behind an authenticating reverse proxy (e.g. nginx + mTLS)
+>   before exposing it externally.
+> - Local paths and `file://` URLs are **automatically rejected** over HTTP to
+>   prevent unauthenticated callers from reading arbitrary host files. Only
+>   remote Git and `.zip` URLs are accepted.
+
 ## Vulnerability Patterns
 
 SkillSpector detects **68 vulnerability patterns** across 17 categories: