If you discover a security vulnerability in this repository, please report it privately.

Preferred options:

• Open a private GitHub security advisory for this repository.
• If that is not available, open a public issue that contains only a request for a private follow-up channel. Do not include exploit details in the public issue.
• Existing TrueFoundry enterprise customers should use their standard support/escalation channel and mark the report as security-sensitive.

Please include:

• A clear description of the vulnerability and impact.
• Reproduction steps or a proof of concept.
• Affected files, skills, or scripts.
• Any suggested mitigation.

This policy applies to:

• Skill instructions under skills/*/SKILL.md
• Shared scripts and references under skills/_shared/
• Installer and helper scripts under scripts/ and hooks/

• We will acknowledge valid reports as quickly as possible.
• We will investigate, triage severity, and prepare a fix.
• We will coordinate disclosure timing with the reporter when possible.

Security fixes are applied to the latest supported branch in this repository.