Skip to content

Security: a-funk/sharkclean-mcp

Security

SECURITY.md

Security & Credentials

How credentials are handled

  • Your SharkClean email/password are used once, during shark-mcp-auth, to log in through SharkNinja's real Auth0 browser flow. They are read from environment variables or a local .env file.
  • The server does not store your password. The one-time login yields an Auth0 refresh token, cached at ~/.config/shark-mcp/tokens.json (file mode 600). The server mints short-lived access tokens from it as needed.
  • .env and the token cache are never committed (.env is in .gitignore).

Recommendations

  • Treat ~/.config/shark-mcp/tokens.json like a password — it grants control of your robot. Delete it to revoke this machine's access; re-run shark-mcp-auth to restore.
  • If you suspect your SharkClean password leaked (e.g. it was typed into a shared shell), change it in the SharkClean app and re-run shark-mcp-auth.

Reporting a vulnerability

Open a GitHub issue for non-sensitive reports. For anything sensitive, contact the maintainer privately rather than filing a public issue.

Disclaimer

This is an unofficial project, not affiliated with or endorsed by SharkNinja. It relies on community reverse engineering of a private API that can change at any time.

There aren't any published security advisories