Skip to content

Security: TTigger/ccpop

Security

SECURITY.md

Security

Data boundary

ccpop runs entirely locally and sends nothing over the network, with one explicit exception (below). Specifically it:

  • reads only the file you pass to ccpop view;
  • reads/writes ~/.claude/ccpop.config.json and ~/.claude/ccpop.state.json;
  • spawns your editor, npm, or the system "open" handler (browser) that you configured;
  • renders markdown to HTML locally, escaping raw HTML and neutralizing dangerous link schemes (javascript:#) so opening untrusted AI-generated markdown cannot execute scripts.

Network exception: when a rendered document contains a ```mermaid block (and view.mermaid is enabled), the generated HTML includes a single <script> from a fixed CDN origin (jsDelivr) to draw the diagram. This tag is fixed and never derived from the markdown content. Disable it with ccpop config set view.mermaid false.

Reporting a vulnerability

Please open a private security advisory on the GitHub repository, or contact the maintainers before public disclosure. Include reproduction steps and the affected version (ccpop --version).

There aren't any published security advisories