If you discover a security vulnerability in Claudia, please report it privately rather than opening a public issue.
Email: kamilbanc [at] gmail.com
Subject line: [SECURITY] Brief description
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Acknowledgment within 48 hours
- Status update within 7 days
- Credit in the fix announcement (unless you prefer anonymity)
- The
npx get-claudiainstaller (bin/index.js) - Memory daemon (
memory-daemon/) - Template files that execute code
- MCP server configuration
- Claude Code itself (report to Anthropic)
- Ollama (report to Ollama)
- User-modified template files
- Third-party dependencies
Claudia runs locally on your machine. Key security considerations:
- Memory daemon listens only on localhost (127.0.0.1:3848)
- No external network calls except Ollama embeddings (local)
- All data stays local in
~/.claudia/and your workspace - No telemetry or analytics
| Version | Supported |
|---|---|
| 1.3.x | Yes |
| 1.2.x | Security fixes only |
| < 1.2 | No |
- Keep Claude Code updated
- Review
.mcp.jsonbefore running - Don't commit sensitive data to context files
- Run
~/.claudia/diagnose.shto verify service configuration