If you discover a security vulnerability in claude-starter, please report it by emailing security@raintree.ai (or create a private security advisory on GitHub).

Please do not open a public issue.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

We will respond within 48 hours and provide a timeline for fixing the issue.

This package implements multiple layers of security:

• ✅ The CLI performs file-copy operations only; it does not shell out or execute external commands
• ✅ No shipped workflow engine executes arbitrary shell commands

• ✅ All file paths validated before operations
• ✅ isPathSafe() checks ensure paths stay within expected directories
• ✅ Relative paths only (no absolute paths)
• ✅ No .. directory traversal allowed
• ✅ Prefix-sibling paths are rejected with path.relative() containment checks

• ✅ The runtime does not recursively merge untrusted objects
• ✅ Settings merges copy known top-level keys instead of traversing arbitrary user-controlled paths

• ✅ Length checks before regex validation
• ✅ Simple, non-backtracking regex patterns
• ✅ Maximum input lengths enforced

• ✅ Symlinks detected and rejected during copy operations
• ✅ lstat() used instead of stat() to detect links
• ✅ Required template files must be regular files

• ✅ Shared template settings ship without wildcard tool permissions
• ✅ Executable hooks and elevated trust settings belong in .claude/settings.local.json

• ✅ Skill installation guidance requires commit-pinned GitHub sources
• ✅ Skill installs review a single downloaded artifact and surface its SHA-256 digest before install
• ✅ Installed bytes are copied from the reviewed artifact instead of being re-fetched from a mutable branch
• ✅ GitHub Actions are pinned to full commit SHAs in CI
• ✅ CI runs gitleaks secret scanning and CodeQL on every PR and push to main
• ✅ Dependabot version updates are configured for npm (root + site/) and GitHub Actions in .github/dependabot.yml
• ℹ️ Repository-level controls (secret-scanning push protection, Dependabot security alerts, branch protection) are configured in GitHub repo settings, outside this source tree

• ✅ All user inputs sanitized
• ✅ Skill IDs, paths, and command names validated before use
• ✅ Log injection prevention (control character filtering)

• User authentication - This is a local tool, no auth required

We regularly audit dependencies:

# Check for vulnerabilities
npm audit

# Update dependencies
npm update

# Check for outdated packages
npm outdated

Automated: GitHub Dependabot alerts enabled

1. Only install from npm:

   npx create-claude-starter  # ✅ Safe

2. Verify package integrity:

   npm view create-claude-starter dist.integrity

3. Don't run with elevated privileges:

   sudo npx create-claude-starter  # ❌ Not needed

4. Review installed skills before use:

   find .claude/skills -maxdepth 3 -name skill.md -print

1. Never commit secrets - Use .gitignore
2. Validate all inputs - Use security.js utilities
3. Default to typed execution - Use execFile or other typed actions by default
4. Test security - Run npm test
5. Update dependencies - Keep packages current

Before each release, verify:

• npm audit shows no vulnerabilities
• All dependencies up to date
• Security tests passing
• No hardcoded secrets or credentials
• All file operations use path validation
• Input validation on all user-provided data
• Error messages don't leak sensitive info
• CHANGELOG.md documents security fixes

Run security tests:

# Unit tests (including security)
npm test

# Dependency audit
npm audit

# Static analysis
npm run lint

• Depth-pack reframe; manifest system removed in favor of the init/docs CLI
• SSRF defense rebuilt: HTTPS-only parsing, IP-literal and private-suffix blocks, DNS public-address resolution check
• Atomic --force installs (staged replace with rollback) and batch preflight before any writes
• Docs cache hardened: 5 MB size cap, schema validation, 0700/0600 modes
• Symlink rejection across all copy paths
• CI with SHA-pinned actions: lint, tests, npm/bun audit, gitleaks, CodeQL

• Initial release with core security measures: command injection prevention, path traversal protection, ReDoS prevention, symlink mitigation, JSON-bomb limits

Security audit and improvements by the Raintree team.

If you have security concerns or suggestions, please contact us at security@raintree.ai.