All skill content in this repository is covered by this security policy.
| Component | Supported |
|---|---|
| Skill definitions (SKILL.md files) | Yes |
| Scripts and automation | Yes |
| Documentation | Yes |
If you discover a security issue with any skill's scripts, instructions, or content, please report it responsibly:
- Do not open a public issue
- Use GitHub's private security advisory: Report a vulnerability
- Include in your report:
- Affected skill name and file path
- Nature of the vulnerability
- Potential impact
- Steps to reproduce (if applicable)
- Suggested fix (if you have one)
- Initial acknowledgment: Within 48 hours
- Assessment and triage: Within 1 week
- Fix or mitigation: Based on severity, typically within 2 weeks
The following are in scope for security reports:
- Skills that contain commands or scripts that could cause unintended harm
- Instructions that could lead to unauthorized access if followed incorrectly
- Sensitive data accidentally included in skill content
- Dependencies or external references that have become compromised
We credit responsible disclosures in our changelog. If you report a valid security issue, we will acknowledge your contribution unless you prefer to remain anonymous.
For security matters that cannot be reported through GitHub's advisory system, reach out via the repository's discussion forum.