This repository publishes workflow content rather than a hosted service, but security issues still matter. Unsafe instructions, malicious links, and secret exposure can all create real harm for operators.

Please report issues such as:

• malicious, deceptive, or compromised links and downloads
• recipes that encourage unsafe credential handling, token sharing, or MFA bypass
• workflow steps that could trigger destructive actions without clear guardrails
• embedded secrets, personal data, or customer-sensitive examples in repository content
• prompt injection or browser automation guidance that could exfiltrate data or mis-handle confidential material

• Do not open a public issue for an unpatched security problem.
• Use GitHub private vulnerability reporting if it is enabled for this repository.
• If private reporting is not enabled, contact the maintainers privately through GitHub first.
• Include the affected file or URL, impact, reproduction notes, and any safe mitigation you already identified.

• Initial acknowledgement: within 5 business days
• Status update after triage: within 10 business days when the report is actionable
• Resolution timing: depends on severity, exploitability, and whether the fix needs coordinated content changes

Please give maintainers reasonable time to fix or remove unsafe content before public disclosure. Once a fix lands, maintainers may document the issue in release notes or repository history if that improves operator safety.