If you discover a security vulnerability in this project, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, email: jim@ecom-x.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
This project generates CLI scripts that interact with third-party APIs using credentials stored in the user's environment. Security concerns include:
- Credential exposure — Generated scripts read from
.env.local. Never commit this file. - Write operations — Generated CLIs include write commands (create, update, delete). Always use
--dry-runfirst. - Token scope — The workflow requests maximum API scope. Review permissions before granting access.
- Never commit
.env.localor any file containing API keys - Use the pre-commit hook from
/setup-environmentto block accidental secret commits - Rotate API keys regularly, especially after team member changes
- Review write operations before execution — use
--dry-run - Keep generated CLIs updated when API versions are deprecated
| Version | Supported |
|---|---|
| 1.0.x | ✅ |