This repository contains agent skills: mostly SKILL.md instructions plus optional references, scripts, and assets. If a bundled instruction, template, or script could lead an agent to leak data, suggest a destructive command without confirmation, mishandle secrets, or otherwise behave unsafely, we want to know.
The latest release on main receives fixes. Older tags do not.
| Version | Supported |
|---|---|
latest (main) |
Yes |
| older tags | No |
Please do not report security issues through public GitHub issues, discussions, or pull requests.
Report privately through either:
- Email: wavever.ht@gmail.com
- GitHub private vulnerability reporting ("Report a vulnerability" under the repository's Security tab).
You should receive an acknowledgement within 3 business days. If you do not, please follow up.
- A description of the issue and its potential impact.
- The affected skill and file(s).
- Steps to reproduce, including the agent prompt or scenario that triggers the behavior.
- Any suggested mitigation.
Please give a reasonable window (default 90 days) to investigate and ship a fix before any public disclosure. We will credit you in the advisory unless you prefer to remain anonymous.
In scope:
- Instructions, references, templates, scripts, or assets in this repository that could cause an agent to behave unsafely — for example, leaking secrets, recommending irreversible commands without confirmation, or producing incorrect licensing guidance.
Out of scope:
- Vulnerabilities in the agent application that runs a skill (report those to that vendor).
- The behavior of files a skill generates for your project — always review generated output before publishing.