Security reports are welcome for the latest stable release and for any current pre-release candidate linked from the repository documentation.

Please use GitHub private vulnerability reporting when possible.

Fallback contact: dev@gerbenvdvelde.nl

Do not report sensitive vulnerabilities in public GitHub Issues.

Examples in scope:

• unsafe or malicious skill instructions;
• installer writes outside documented targets;
• accidental credential or sensitive-data disclosure;
• release, tag, or package integrity concerns;
• generated-file behavior that may expose sensitive data.