| Version | Supported |
|---|---|
Latest on main |
Yes |
| Older commits | Best effort |
If you discover a security vulnerability in π ππππππππππ. Skills, please report it responsibly.
Do not open a public issue.
Email: void@div0.space
Include:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment (what can an attacker do?)
- Affected skill(s) or script(s)
We will acknowledge receipt within 48 hours and provide an initial assessment within 7 days.
This policy covers:
- All skill definitions (
vc-*/SKILL.md) - Install and spawn scripts (
scripts/,install.sh) - Shell helpers installed by
install-shell.sh - CI workflows (
.github/workflows/)
Out of scope:
- Runtime foundations (
aicx-mcp,loctree-mcp,prview) β report to their respective repos - Agent CLIs (Codex, Claude, Gemini) β report to their vendors
- Spawn scripts use
zsh -icwhich loads the user's full shell environment. This is by design β agents need the real env. Do not run spawns in untrusted environments. --dangerously-skip-permissionsflags are required for external agents. This is documented and intentional. Thevc-delegateskill exists as the safe alternative.- No secrets should ever be committed to this repo. Skills read credentials from environment variables only.