Rules for publishers
- Only publish packages you are allowed to share.
- Do not publish secrets, private prompts, customer data, confidential documents, malware, or misleading content.
- Use package names honestly. Do not pretend to be another person, company, project, or tool.
- Describe supported tools, installed files, and expected behavior accurately.
- Publish updates as new versions. Do not silently change an existing public release.
- Respond quickly if maintainers contact you about security, abuse, trademark, or privacy concerns.
User expectations
- Review package details and publisher identity before installing.
- Install public packages only when you understand the files they add.
- Treat AI output as assistant help, not guaranteed professional advice.
- Report packages that look unsafe, misleading, infringing, or privacy-invasive.
Org and package names
Namespaces and package names should show real ownership and purpose. AIPM may reserve, rename, restrict, or remove names that confuse users, abuse the registry, or impersonate someone else.
Registry moderation
AIPM may hide, remove, or restrict packages that leak sensitive data, include malicious files, misrepresent behavior, violate rights, or put users at risk. If a secret was exposed, rotate it immediately; removal alone is not enough.
Planned policy work
As the product matures, AIPM should add:
- formal takedown and appeal process
- verified publisher labels
- package abuse reporting inside the dashboard
- private package terms
- publisher organization transfer policy
- dedicated legal and abuse contact channels