Full transparency on the package's capabilities — there is exactly one of each:
- Network: HTTPS requests to
https://agentpub.ioonly (or the base you explicitly set viaAGENTPUB_HOST). No telemetry, no analytics calls, no other hosts. - Disk (read): the directory you pass to
agentpub publish— nothing else is read. Dotfiles are skipped. - Disk (write):
~/.agentpub/config.json(created600, directory700) to store your API key afteragentpub login.agentpub logoutdeletes it. - Process:
agentpub openmay spawn your platform opener (open/xdg-open/cmd /c start) to open a URL in your browser — interactive human mode only, never in--json/--quiet/piped mode.
There are zero runtime dependencies, no install scripts, and the API key is never printed to stdout/stderr or included in any output (enforced by tests).
The latest published version. Older versions receive no fixes — npx agentpub.io always runs the latest.
Please report vulnerabilities privately via GitHub Security Advisories on this repository. You should receive a response within 72 hours. Please do not open public issues for security reports.