We take the security of this project seriously. If you discover a security vulnerability, please report it privately.
DO NOT open a public issue for security vulnerabilities.
- Email: Open a security advisory on GitHub
- GitHub: Go to Security tab β "Report a vulnerability"
Please provide as much information as possible:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if any)
We aim to respond to security reports within 7 days.
NEVER commit API keys or credentials to this repository!
# β
DO: Use environment variables
export QWEN_API_KEY="your-key-here"
export ANTHROPIC_API_KEY="your-key-here"
# β DON'T: Hardcode in source files
api_key = "sk-xxxxx" # NEVER DO THISThe following files should NEVER be committed:
| File/Pattern | Reason |
|---|---|
.env |
Contains secrets |
*.key, *.pem |
Private keys |
credentials.json |
Authentication data |
config.local.json |
Local config with secrets |
.claude/settings.local.json |
Local Claude settings |
Always verify third-party dependencies:
# Check for known vulnerabilities
pip audit # For Python dependencies
cargo audit # For Rust dependencies| Measure | Status | Description |
|---|---|---|
| No hardcoded secrets | β | All API keys via environment variables |
| .gitignore configured | β | Sensitive files excluded |
| Dependency scanning | Manual audit recommended | |
| Security policy | β | This document |
Before submitting a PR, ensure:
- No API keys or secrets in code
- No credentials in config files
- Dependencies are from trusted sources
- No sensitive data in logs or error messages
- Code follows secure coding practices
- Educational Project: This is a learning/research project, not production-ready software
- No Warranty: Use at your own risk
- API Dependencies: Relies on external API providers (Anthropic, Alibaba Cloud)
Thank you for helping keep this project secure! π