Security Policy¶
Supported versions¶
PowerPoint MCP Server is now in production use, though still pre-1.0 (0.x) while the tool surface stabilizes. Only the latest published release receives security fixes; a formal multi-version support matrix will be established once the project reaches a 1.0 release.
Reporting a vulnerability¶
Please report suspected security vulnerabilities privately using GitHub's private vulnerability reporting for this repository, rather than opening a public issue. Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce (a minimal PowerPoint file/tool-call sequence, if applicable)
- Any relevant logs (redact file paths or content you consider sensitive)
We aim to acknowledge reports within a few business days.
Security model¶
- Local, Windows-only automation. The MCP server drives a real, local PowerPoint desktop process over COM (
Microsoft.Office.Interop.PowerPoint). It does not open network ports, does not send presentation content anywhere, and only operates on files you explicitly open, create, or export. - Native Office API only. Because it uses PowerPoint's own COM automation surface rather than a third-party
.pptxparser, there is no custom file-format parsing that could be exploited by a malformed file — PowerPoint itself validates and opens the file. - No macros executed by default. Tools do not execute arbitrary VBA or external code; they call discrete, typed automation operations (add shape, set text, export image, etc.).
- Export-to-verify. Visual verification via
export_slide_to_image/export_all_slides_to_imageswrites image files only to paths you specify.
See also the Privacy Policy for how data is (not) collected or transmitted.