Skip to content

Security: kkunkunya/journal-research-agent-plugins

Security

SECURITY.md

Security Policy

Credentials

This repository must not contain maintainer-owned API keys, customer keys, tokens, cookies, private endpoints, or local runtime secrets.

Customers should configure credentials locally, using environment variables, shell profiles, macOS Keychain, or their own secret manager.

Do not commit:

  • .env or .env.*
  • filled local-config.txt
  • private keys
  • cookies or browser session exports
  • paid provider tokens
  • customer data, unpublished manuscripts, or private reviewer notes

Supported Local Variables

  • BAIDU_API_KEY
  • EASYSCHOLAR_SECRET_KEY
  • OPENALEX_API_KEY
  • FIRECRAWL_API_KEY

See docs/API_KEYS_AND_LOCAL_CONFIG.md.

Reporting

If you find a credential, private endpoint, or customer data in this repository, rotate the affected credential first, then open a private report with the repository owner. Do not paste live secrets into public issues.

There aren't any published security advisories