We take security seriously. If you discover a security vulnerability, please report it responsibly.

Do not report security vulnerabilities through public GitHub issues.

Instead, please send an email to the project maintainers with:

1. Description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact of the vulnerability
4. Suggested fix (if you have one)

• Acknowledgment: We will acknowledge receipt within 48 hours
• Assessment: We will assess the vulnerability and its impact
• Timeline: We aim to provide a fix within 30 days for critical issues
• Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)

OpenSkill implements several security measures:

• All file paths are validated to prevent directory traversal attacks
• Skill names are sanitized before filesystem operations

• Symlinks are detected and rejected during skill installation
• File operations verify the target is a regular file or directory

• All Git arguments are properly escaped
• User input is never passed directly to shell commands

• File writes use atomic operations with proper locking
• Prevents race conditions and partial writes

1. Verify skill sources: Only install skills from trusted repositories
2. Review skill content: Check the skill's SKILL.md before installation
3. Keep updated: Run osk update regularly to get security fixes
4. Use HTTPS: Prefer HTTPS URLs over SSH for public repositories

Security advisories will be published on the GitHub Security Advisories page.