Security review

What the Security reviewed badge checks, and how to request a review for your package.

Security review

The Security reviewed badge signals that a package has passed Nuclexa's manual security review. It is one of the strongest trust signals in the marketplace.

What the badge means

A package with the badge has been read end to end by a reviewer who confirmed that:

The package does only what its description and README.md claim.
Its declared permissions match its actual behavior — nothing over-requested, nothing out of scope.
It contains no obfuscated instructions, prompt-injection traps, or attempts to exfiltrate files, environment variables, or secrets.
Any network calls go to documented, expected destinations.
Its examples are honest and reproducible.

The badge is tied to a specific version. A new major or minor release re-enters the review queue.

What the review checks

Check	What it verifies
Manifest accuracy	`agent.json` is valid and matches behavior
Permission minimalism	Every granted permission is actually used
Instruction integrity	No hidden, obfuscated, or injection-style instructions
Data handling	No unexpected exfiltration of files, `env`, or `secrets`
Network destinations	Outbound calls match what the package documents
Examples	Examples are accurate and don't hide risky behavior

How to request a review

Make sure your package validates and uses the minimal permission scope — see the Permissions model.
Publish the version you want reviewed.
Request it from the CLI:

bash

npx nuclexa review request security-review@1.0.0

Address any findings, publish a fixed version, and re-request if needed.

A clean, minimal package usually clears review on the first pass. Start from the Publishing guide if you haven't shipped yet.

What the badge means

A package with the badge has been read end to end by a reviewer who confirmed that:

The package does only what its description and README.md claim.

Its declared permissions match its actual behavior — nothing over-requested, nothing out of scope.

It contains no obfuscated instructions, prompt-injection traps, or attempts to exfiltrate files, environment variables, or secrets.

Any network calls go to documented, expected destinations.

Its examples are honest and reproducible.

The badge is tied to a specific version. A new major or minor release re-enters the review queue.

What the review checks

Check	What it verifies
Manifest accuracy	`agent.json` is valid and matches behavior
Permission minimalism	Every granted permission is actually used
Instruction integrity	No hidden, obfuscated, or injection-style instructions
Data handling	No unexpected exfiltration of files, `env`, or `secrets`
Network destinations	Outbound calls match what the package documents
Examples	Examples are accurate and don't hide risky behavior

How to request a review

Make sure your package validates and uses the minimal permission scope — see the Permissions model.

Publish the version you want reviewed.

Request it from the CLI:

bash

npx nuclexa review request security-review@1.0.0

Address any findings, publish a fixed version, and re-request if needed.

A clean, minimal package usually clears review on the first pass. Start from the Publishing guide if you haven't shipped yet.