Skip to content

Security: Bobby-Gray/nudgr

Security

SECURITY.md

Security policy

Reporting a vulnerability

Please report security issues by opening a private security advisory on GitHub, or by emailing the maintainer (see GitHub profile). We commit to acknowledging within 72 hours.

Coordinated disclosure: please don't publicly disclose until we've had a reasonable window to fix. We'll keep you updated and credit you (with permission) in the relevant release notes.

Scope

In scope:

  • This repository's source code
  • The nudgr CLI as published on PyPI (when it ships)
  • The accompanying Claude skill in skill/

Out of scope:

  • Third-party services nudgr integrates with (Google Calendar API, Apple EventKit, Cloudflare, etc.) — report directly to them
  • Vulnerabilities in transitive dependencies — please report upstream and we'll bump
  • Issues in the user's own Claude Code installation, OS, or shell

What we consider valid

  • Authentication / token-handling bugs (Google OAuth flow, Apple app-specific password storage)
  • Path traversal or symlink-following in prompt-file or working-dir handling
  • Injection in tmux command construction or osascript invocation
  • SQLite query construction allowing unintended data access (we use parameterized queries everywhere; a regression here is valid)
  • Privilege escalation via dispatcher (launchd / systemd unit generation)
  • Sensitive data exposure in logs or dispatch_log rows (the notes field, working-dir paths, etc.)

What we don't consider valid:

  • Findings that require an attacker to already have local code-execution as your user
  • "The user can put a malicious command in extra_flags" — that's working as intended; nudgr trusts its own CLI input
  • DoS via filling the SQLite DB
  • Lookalike package names on PyPI we don't control

Data handling commitments

  • nudgr's SQLite database lives only on the user's machine
  • OAuth tokens are stored at ~/.local/share/nudgr/google_token.json with 0600 permissions (when the auth flow lands)
  • macOS Calendar permission is requested via standard TCC — same as any other Calendar.app integration
  • nudgr does not phone home, send telemetry, or upload your items anywhere
  • The only network calls nudgr makes are to calendar provider APIs (Google) or local OS APIs (EventKit)

There aren't any published security advisories