| Version | Supported |
|---|---|
| 1.0.x | Yes |
| < 1.0.0 | No |
If you discover a security vulnerability, please report it privately:
- Email: gfernandf+security@gmail.com
- Subject:
[SECURITY] agent-skills — <brief description> - Include: affected version, reproduction steps, and potential impact.
Do NOT open a public GitHub issue for security vulnerabilities.
We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 7 business days for critical issues.
For details on the runtime's security architecture, see:
- docs/SECURITY.md — OWASP coverage, SSRF/LFI protections, credential handling
- docs/AUTH.md — Authentication, RBAC, JWT verification
- docs/ADAPTER_AUTH_POLICY.md — Adapter secret management
- docs/OPENAPI_ERROR_SECURITY_BASELINE.md — API error security baseline
This policy covers:
- The
agent-skillsruntime (this repository) - The
agent-skill-registrycompanion repository - Official bindings and services shipped in this repository
Third-party plugins, community skills, and external service endpoints are outside scope.