Report security issues privately via GitHub Security Advisories:
π https://github.com/jacob-balslev/skill-audit-loop/security/advisories/new
Please do not open a public issue for security reports.
If you cannot use GitHub Security Advisories, email jacobbalslev@gmail.com with the subject line [security] skill-audit-loop β <short description>.
| Phase | Target |
|---|---|
| Triage acknowledgement | within 7 calendar days of report |
| Initial assessment | within 14 days |
| Fix or mitigation plan | within 30 days for high-severity issues; 90 days otherwise |
These are targets, not guarantees. Single-maintainer project β please be patient and follow up if you have not heard back.
In scope:
- Source code in
src/and published@skill-graph/auditnpm package. - Eval fixtures and grader scripts in
evals/andsrc/graders/. - Documentation in this repository.
Out of scope:
- Skills audited by this tool (they are owned by their respective libraries).
- Forks of this repo published outside
github.com/jacob-balslev. - Vulnerabilities in upstream dependencies β please report to those projects.
- Issues in the sibling repos (skill-metadata-protocol, skill-graph, skills) β file those against the respective repo.
We follow coordinated disclosure. Reporters will be credited in the published security advisory once a fix is released, unless the reporter requests anonymity.
Only the latest minor release line on main receives security fixes. Older lines are upgrade-only.