SkillBench can execute agent commands in full-agent mode. Treat eval cases and agent runners as code-adjacent inputs.
Security fixes target the latest released version on the main branch.
Please report suspected vulnerabilities privately to the repository owner before opening a public issue. Include:
- Affected SkillBench version or commit.
- The command or eval case needed to reproduce the behavior.
- Any generated
report.json,case_results.jsonl, oragent_runs/evidence with secrets removed.
- Do not publish API keys, private transcripts, or proprietary skill documents in issues.
- Use
--agent-timeoutforfull-agentruns. - Review
SKILLBENCH_AGENT_COMMANDbefore running third-party eval sets. - Prefer isolated worktrees or disposable directories for behavior audits.