Account identity
When you sign in, AIPM uses your GitHub identity to connect publishing actions to your account.
Privacy
Know what is public and what should stay private.
AIPM is built for public AI skill packages. This page explains what data is used for accounts, publisher profiles, package metadata, tokens, and project files.
Publisher profile
Your display name and profile image help users see who owns an org or package.
Organization and package records
Org names, package names, metadata, versions, and public package files are stored by the registry.
Short-lived publish tokens
Publish tokens are used by the CLI, expire quickly, and should not be saved in project files.
Operational logs
The registry may process request metadata to run the service, fix abuse, and keep it available.
Local preferences
The website can save your theme choice in your browser. This is not needed for publishing.
What becomes public
Package names, descriptions, targets, versions, manifests, and included skill files are public registry content. Check them before you publish.
- Published packages are public by default.
- Do not publish credentials, private prompts, customer data, internal documents, or private project notes.
- Use aipm publish preview and .aipmignore before publishing.
- Rotate any exposed secret immediately. Removing a package does not make a leaked secret safe again.
What AIPM does not need
AIPM does not need private source code, secrets, customer records, internal documents, or unrelated project files. A good package includes only the manifest, main skill file, examples, and tool files the skill needs.
Privacy work still planned
AIPM should add account deletion, package owner transfer, stronger audit logs, verified publisher labels, private packages, and a privacy contact channel.