docs/security.md

Security & privacy

Principles

• Read‑only: tools never send Authorization headers
• Respect gated/private resources and label them as not accessible
• Don’t log secrets; HF_TOKEN is only for the inference model

Details

• Tools normalize visibility and access fields
• The Report view renders HTML in memory; no report files are saved

Scope

• No write operations to the Hub
• Only public endpoints and domain‑restricted search are used