TinyChannels is a channel and messaging library for OpenHuman harness communication. Security-sensitive areas include message routing, transport adapters, channel identity, harness boundaries, event metadata, prompt or context payloads, and credentials passed through runtime context.
Report concerns to contact@tinyhumans.ai.
TinyChannels is pre-1.0. Security fixes target the main branch until the
project starts maintaining release branches.
Please do not open a public issue for a suspected vulnerability.
Report security concerns by emailing security@tinyhumans.ai with:
- a description of the issue
- affected versions or commits
- reproduction steps or proof of concept
- impact assessment
- any suggested fix or mitigation
We will acknowledge reports as quickly as practical and coordinate disclosure before publishing details.
Examples of in-scope issues:
- unintended cross-channel message leakage
- unsafe handling of credentials or secrets
- harness communication bypassing expected policy boundaries
- incorrect channel identity or routing metadata
- dependency vulnerabilities with a practical exploit path in TinyChannels
Examples generally out of scope:
- low-quality model output by itself
- unsafe workflows caused by downstream applications granting broad authority
- vulnerabilities in downstream applications that use TinyChannels incorrectly