ulk is a collection of Markdown agent definitions and shell scripts. Security considerations apply to:

• install.sh and other shell scripts (arbitrary code execution on the user's machine)
• Community skills bundled from third-party sources
• Node.js generators in cheatheet/

If you discover a security issue (e.g., a shell script that could be exploited, hardcoded credentials, malicious content in bundled skills), please do not open a public issue.

Instead:

1. Email the maintainer directly (check GitHub profile for contact)
2. Or open a GitHub Security Advisory

Expected response time: within 7 days.

• Shell injection in install.sh or other scripts
• Credentials or API keys committed to the repo
• Agent prompts that could lead Claude to execute destructive commands
• Malicious content in community skills (community-skills/)

• An agent producing incorrect or suboptimal output (that's a bug, not a security issue)
• Usage of eval in install.sh for JSON parsing (known, tracked as ULK-127)