If you discover a security vulnerability in PaperBanana, please report it responsibly.

Do not open a public issue. Instead, email dip@llmsresearch.com with:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix, if you have one

We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation plan within 7 days for critical issues.

PaperBanana interacts with external APIs and processes user-provided text. Users should be aware of the following:

API Keys: Your Google Gemini API key is stored locally in .env. Never commit this file to version control. The .gitignore already excludes it.

Generated Code Execution: The paperbanana plot command generates and executes Matplotlib code via Gemini. While the execution environment is sandboxed to plotting functions, users should review generated code before running it in production environments.

MCP Server: The MCP server exposes PaperBanana's functionality to IDE clients. It runs locally and does not accept remote connections by default. Do not expose the MCP server to untrusted networks.

Reference Data: The reference dataset contains publicly available figures from arXiv papers, used under fair use for research purposes. No proprietary or restricted data is included.

We monitor dependencies for known vulnerabilities through GitHub's Dependabot. If you notice a vulnerability in one of our dependencies, please report it through the process above.