Report security issues privately via GitHub Security Advisories:
👉 https://github.com/jacob-balslev/skill-graph/security/advisories/new
Please do not open a public issue for security reports.
If you cannot use GitHub Security Advisories, open a minimal public issue requesting an alternate private security channel. Do not include vulnerability details, secrets, reproduction payloads, or personal data in that public request.
| Phase | Target |
|---|---|
| Triage acknowledgement | within 7 calendar days of report |
| Initial assessment | within 14 days |
| Fix or mitigation plan | within 30 days for high-severity issues; 90 days otherwise |
These are targets, not guarantees. Single-maintainer project — please be patient and follow up if you have not heard back.
In scope:
- Source code, CLI binaries, and published
@skill-graph/clinpm package. - The
marketplace/export pipeline and the scripts inscripts/. - Documentation in this repository.
Out of scope:
- Skills loaded into third-party agent runtimes.
- Forks of this repo published outside
github.com/jacob-balslev. - Vulnerabilities in upstream dependencies — please report to those projects.
- Issues in the sibling repos (skill-metadata-protocol, skill-audit-loop, skills) — file those against the respective repo.
We follow coordinated disclosure. Reporters will be credited in the published security advisory once a fix is released, unless the reporter requests anonymity.
Only the latest minor release line on main receives security fixes. Older lines are upgrade-only.