If you discover a security vulnerability, please report it privately:

1. Do NOT open a public GitHub issue
2. Use GitHub's private vulnerability reporting feature
3. Include: description, reproduction steps, and impact assessment

We aim to respond within 48 hours and release a fix within 7 days for critical issues.

• Command injection via config values
• Privilege escalation during install
• Unsafe temporary file handling
• Supply chain risks in default template URLs