Only the latest release of skillscan-security on PyPI receives security fixes. Older versions are not patched.

Do not open a public GitHub issue for security vulnerabilities.

To report a vulnerability in SkillScan itself (the scanner, its rules, or its dependencies), please open a GitHub Security Advisory using GitHub's private vulnerability reporting feature. This keeps the report confidential until a fix is available.

Include:

• A description of the vulnerability and its potential impact
• Steps to reproduce, including the SkillScan version (skillscan version) and OS
• Any proof-of-concept or example files (redact sensitive content)

You will receive an acknowledgment within 72 hours. If a fix is warranted, a patched release will be published and a CVE will be requested if appropriate.

This policy covers:

• The skillscan-security Python package and CLI
• Detection rules and intel data bundled in the package
• The Docker image kurtpayne/skillscan

Out of scope:

• The website (skillscan.sh) — report issues via the GitHub Issues tracker
• Third-party dependencies — report upstream and open an issue here linking to the upstream advisory

When testing suspicious artifacts, use isolated systems and do not execute untrusted code. SkillScan itself performs only static analysis and never executes the files it scans, but the files you are scanning may contain malicious payloads that could be triggered by other tools.

If you discover that a SkillScan rule can be bypassed by a real malicious skill (a false negative that enables an attacker to evade detection), treat this as a security-sensitive report and use the private advisory process above rather than opening a public issue.