Security fixes are applied to the latest released version. Please make sure you are on the most recent release before reporting an issue.
Please do not open a public GitHub issue for security vulnerabilities.
Instead, report them privately using GitHub's private vulnerability reporting ("Report a vulnerability" under the repository's Security tab).
Please include:
- A description of the vulnerability and its impact.
- Steps to reproduce, ideally with a minimal
SKILL.mdor input. - The
skrefversion and your platform.
- We aim to acknowledge reports within 3 business days.
- We will keep you informed about the progress of a fix and coordinate disclosure timing with you.
- With your permission, we are happy to credit you in the release notes once a fix ships.
skref reads and validates local SKILL.md files and emits text. It performs
no network access and executes no skill code itself. The most relevant concerns
are therefore around parsing untrusted input (malformed frontmatter, adversarial
Unicode, resource exhaustion). Reports demonstrating crashes, hangs, or
incorrect validation results on untrusted input are in scope and welcome.