If you discover a security vulnerability in agenteval, please report it responsibly.

Do not open a public GitHub issue.

Instead, open a security advisory or email the maintainer directly with:

• A description of the vulnerability
• Steps to reproduce
• Any relevant logs or screenshots

You will receive an acknowledgment within 48 hours and a detailed response within 5 business days.

agenteval intercepts LLM API calls at the protocol level for testing purposes. Security concerns include:

• Credential exposure in test traces or reports
• Injection attacks via crafted agent outputs that affect evaluators
• Data leakage in HTML/JSON reports (PII from test runs)

• Never commit API keys or credentials in pyproject.toml — use environment variables
• Review HTML reports before sharing — they contain full agent traces
• Use --agenteval-report-dir to control where reports are written