← Health Export AI

Security

For security reviewers and integrators

Health Export AI is local-first and read-only — there is no account and no developer server, so the developer is never in your data path. This page documents how the product and its surfaces are hardened. Using the app? The plain-language version lives on the privacy page.

No third-party surface

Every page asset on this site — scripts, styles, fonts, images — is served from our own origin. There are no third-party scripts, fonts, trackers, or analytics, and the site is built to pass independent security-header audits. The MCP server itself is two zero-dependency Node files.

Supply-chain integrity

The MCP server artifacts are minisign-signed with a public key that is pinned from a second, independent source — the GitHub repository and SKILL.md, not only this site — so a compromise of the origin alone cannot swap both an artifact and its signing key. Every download is also SHA-256 checksummed. Agents and integrators should verify the signature and the checksums and fail closed on any mismatch before running anything. The verify recipe is in SKILL.md.

Transport & domain hardening

For reviewers, the edge and DNS are configured with:

Report a vulnerability

Email [email protected]. Machine-readable contact details are at /.well-known/security.txt.

Health Export AI · local-first, read-only. · Privacy · Terms · Support