If you discover a security vulnerability in AgentHub, please report it responsibly.

Do NOT open a public issue.

Instead, please email: security@agenthub.dev (or open a private advisory on GitHub).

Include:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

We will respond within 48 hours and work with you to resolve the issue.

• File tools are sandboxed to the current working directory
• No secrets are logged or exposed in API responses
• API keys are read from environment variables only – never hardcoded
• Dependencies are pinned to minimum versions and regularly audited