If you discover a security vulnerability in this project, please report it responsibly.
Do not open a public issue. Instead, email the maintainers directly.
We will acknowledge your report within 7 days and aim to publish a fix within 30 days.
This policy covers:
- The skill pipeline definitions (SKILL.md files and supporting references)
- The test infrastructure and validation scripts
- The test fixtures and benchmark tooling
This project does not run as a production service. It is a set of AI skill definitions and offline test tools. Security concerns are primarily:
- Maliciously crafted skill files that could cause unintended behavior when loaded by an AI assistant
- Arbitrary code execution through test fixture generation or screenshot capture
- Exposure of local file paths through error messages
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
- Python: numpy, Pillow (visual comparison tools)
- Node.js: built-in modules only (no npm dependencies)
- Playwright: browser automation for screenshot capture (invoked via npx)
Report vulnerabilities in vendored third-party code (see THIRD_PARTY_NOTICES.md) to the respective upstream projects.