Agent Evals is early-stage software. Security fixes target the latest version on the default branch.
Please report security issues privately instead of opening a public issue.
If GitHub private vulnerability reporting is enabled for the repository, use that channel. Otherwise, contact the repository owner directly through GitHub.
Agent Evals may process prompts, model outputs, traces, and evaluation metadata. Treat those inputs as sensitive by default.
- Do not commit API keys or provider credentials.
- Do not store production user data in example suites or baselines.
- Scrub private prompts, traces, and outputs before sharing reports.
- Prefer environment variables or secret managers for credentials.
- Review CI artifacts before making them public.