Thank you for helping keep this project and its users safe.

Please do not report security issues through public GitHub issues, discussions, or pull requests.

Instead, use GitHub's private vulnerability reporting for this repository:

• Report a vulnerability: https://github.com/PBNZ/newton-skill/security/advisories/new

This channel is private, visible only to the maintainers and to GitHub's security infrastructure.

When reporting, please include as much of the following as you can:

• A clear description of the issue and its potential impact.
• The affected component (for example, plugins/newton/skills/newton or a tool-rules file).
• Steps to reproduce or a proof of concept.
• Any suggested mitigation or fix, if you have one.

• An initial acknowledgement as soon as the maintainer sees the report.
• A follow-up with an assessment and a plan (accept, mitigate, or decline) once triage is complete.
• Public disclosure, if any, coordinated with the reporter after a fix or mitigation is available.

This policy covers the contents of this repository — the marketplace manifest, the Newton plugin, the Newton skill, and the generated tool-rules files. It does not cover:

• The Claude Code CLI, Claude.ai, Claude Desktop, the Claude API, or any other first-party Anthropic product. Please report those through Anthropic's own security channels.
• Third-party tools that ingest this skill (Cursor, Copilot, Codex, Gemini CLI, Windsurf, etc.). Please report those through each tool's own security channel.

Good-faith security research on this repository — including reproduction of the issue on your own fork or test account — will not be pursued or treated as a violation of this project's terms, provided you:

• Avoid privacy violations, destruction of data, or disruption to other users.
• Do not exfiltrate any data beyond the minimum necessary to demonstrate the issue.
• Give the maintainers a reasonable opportunity to resolve the issue before any public disclosure.