Skip to content

Security: agentpub-io/cli

Security

SECURITY.md

Security

What this CLI touches

Full transparency on the package's capabilities — there is exactly one of each:

  • Network: HTTPS requests to https://agentpub.io only (or the base you explicitly set via AGENTPUB_HOST). No telemetry, no analytics calls, no other hosts.
  • Disk (read): the directory you pass to agentpub publish — nothing else is read. Dotfiles are skipped.
  • Disk (write): ~/.agentpub/config.json (created 600, directory 700) to store your API key after agentpub login. agentpub logout deletes it.
  • Process: agentpub open may spawn your platform opener (open / xdg-open / cmd /c start) to open a URL in your browser — interactive human mode only, never in --json/--quiet/piped mode.

There are zero runtime dependencies, no install scripts, and the API key is never printed to stdout/stderr or included in any output (enforced by tests).

Supported versions

The latest published version. Older versions receive no fixes — npx agentpub.io always runs the latest.

Reporting a vulnerability

Please report vulnerabilities privately via GitHub Security Advisories on this repository. You should receive a response within 72 hours. Please do not open public issues for security reports.

There aren't any published security advisories