Skip to content

Security: GuidateTest/instagram-carousel-studio

Security

SECURITY.md

Security

What this app stores locally

Data Where Sent to server?
Carousel designs localStorage (carousel-studio-editor-project) No
MCP API key localStorage (carousel-studio-mcp-api-key) Only to Zamili MCP when you publish
MCP base URL localStorage (carousel-studio-mcp-base-url) No

What we never do

  • No API keys in source code or git history
  • No analytics or tracking scripts
  • No automatic upload — publishing only runs when you click Publish carousel now
  • No proprietary brand assets in this repository

Publishing flow

  1. Slides are rendered in your browser as PNG (base64).
  2. PNGs are uploaded to your Zamili account via the MCP API (Authorization: Bearer zmcp_live_…).
  3. Zamili posts to Instagram using your connected account.

Revoke keys anytime in the Zamili dashboard → MCP.

Reporting issues

Open a GitHub issue — do not paste API keys in tickets.

There aren't any published security advisories