Summary
Over the past weeks, I've come across an escalating pattern of unauthorized OpenMAIC deployments — ranging from simple iframe embedding to commercial operations by registered companies. This issue consolidates the findings and suggests possible actions for the maintainers to consider.
Escalation Pattern
Tier 1: Community Wrapping (Low and temporarily fixed)
Third-party sites embedding or wrapping the OpenMAIC interface, typically via iframe or reverse proxy. Minimal modification, attribution sometimes preserved.
Tier 2: User Asset Risk (Medium to High)
Public-facing OpenMAIC instances (discoverable via search engines) that accept user-supplied API keys. Due to the proxy architecture, any API key entered is transmitted in plaintext to the instance operator's server. Users who find these instances through search engines may not understand this risk.
Tier 3: Commercial AGPL Violation (High)
I've found cases where registered commercial entities have deployed modified OpenMAIC instances as part of their product offering — with rebranding, custom domains, and commercial promotion — without providing source code access to users as required by AGPL-3.0.
Under AGPL-3.0 Section 13, making a modified version available over a network triggers the obligation to offer the Corresponding Source to all users. Failure to do so is a license violation.
I can share details of specific entities with maintainers privately to avoid publicizing infringing sites.
Suggested Actions
For user safety
For license clarity
- The README already includes an AGPL-3.0 badge and commercial licensing contact, which is great
- Consider adding a
NOTICE file or LICENSE_FAQ.md that explicitly spells out what AGPL-3.0 requires for network deployments (e.g. "If you deploy this as a web service, you must make your complete source code available to users")
For enforcement
- Send AGPL compliance notices to identified commercial violators
- Consider setting up a simple way for the community to report unauthorized deployments (e.g. a dedicated email)
Context
I'm currently working on some multi-user OpenMAIC infrastructure for a research team, which is how I stumbled onto these public deployments. This is not about restricting legitimate self-hosting — the concern is:
- User safety: uninformed users entering API keys on untrusted instances
- License compliance: commercial entities profiting without fulfilling AGPL obligations
- Project reputation: modified deployments with poor security reflecting on the OpenMAIC brand
Would love to hear the maintainers' perspective on how to handle this. Happy to help with any of the above.
Related
Summary
Over the past weeks, I've come across an escalating pattern of unauthorized OpenMAIC deployments — ranging from simple iframe embedding to commercial operations by registered companies. This issue consolidates the findings and suggests possible actions for the maintainers to consider.
Escalation Pattern
Tier 1: Community Wrapping (Low and temporarily fixed)
Third-party sites embedding or wrapping the OpenMAIC interface, typically via iframe or reverse proxy. Minimal modification, attribution sometimes preserved.
Tier 2: User Asset Risk (Medium to High)
Public-facing OpenMAIC instances (discoverable via search engines) that accept user-supplied API keys. Due to the proxy architecture, any API key entered is transmitted in plaintext to the instance operator's server. Users who find these instances through search engines may not understand this risk.
Tier 3: Commercial AGPL Violation (High)
I've found cases where registered commercial entities have deployed modified OpenMAIC instances as part of their product offering — with rebranding, custom domains, and commercial promotion — without providing source code access to users as required by AGPL-3.0.
Under AGPL-3.0 Section 13, making a modified version available over a network triggers the obligation to offer the Corresponding Source to all users. Failure to do so is a license violation.
I can share details of specific entities with maintainers privately to avoid publicizing infringing sites.
Suggested Actions
For user safety
For license clarity
NOTICEfile orLICENSE_FAQ.mdthat explicitly spells out what AGPL-3.0 requires for network deployments (e.g. "If you deploy this as a web service, you must make your complete source code available to users")For enforcement
Context
I'm currently working on some multi-user OpenMAIC infrastructure for a research team, which is how I stumbled onto these public deployments. This is not about restricting legitimate self-hosting — the concern is:
Would love to hear the maintainers' perspective on how to handle this. Happy to help with any of the above.
Related