Is the library safe?
I can copy my attach link. Send it to a friend. When he open this attach, i can see friend`s profile in my browser.

At this case, hacker can do the same. Just put evil attach link on evil site. Then waiting for user`s visit.

What am I doing wrong?

Valid concerns. Without additional security measures, this could be abused. I'll address these issues in the upcoming version.