Skip to content

Security: EvilHumphrey/Second-Opinion

SECURITY.md

Security & privacy

Second Opinion is a read-only local diagnostic. It makes no changes to the machine and never sends data anywhere — the AI step is you pasting a prompt into your own AI.

Reporting

Please do not paste an unredacted report, or any identifier that survived into ai-prompt.txt, into a public issue — that would leak exactly what this tool is trying to protect.

  • Privately (preferred for anything sensitive): use GitHub's private vulnerability reporting on this repo (the Security tab → Report a vulnerability). It opens a private channel with the maintainer.
  • Redaction gaps (the most valuable report): ai-prompt.txt has key identifiers removed on a best-effort basis — username, PC name, BIOS serial, network addresses, Windows profile path names, and raw device display names that may carry personal labels — but it is not guaranteed. If you find an identifier that survives into ai-prompt.txt, report it privately, and describe it in sanitized form (don't include the real value).
  • Ordinary bugs (no sensitive data): a regular GitHub issue is fine.

Artifact safety

  • The top-level out\report.html is unredacted (it shows the PC name and hardware). Share it only with the person helping you, never publicly — not on a forum, in a chat, or as a screenshot.
  • Share-safe artifacts (best-effort redacted): ai-prompt.txt, and the -HelperPacket bundle in out\packet\ — a redacted report.html, plus helper-summary.md, redacted-evidence.json, redaction-audit.txt, unreadable-signals.txt. Use these for public help / AI / forums.
  • Don't post publicly: the top-level out\report.html, the whole out folder, or screenshots of it.
  • The tool never writes outside the output folder you choose (default .\out) and never touches Windows settings, the registry, services, or drivers.

There aren't any published security advisories