If you discover a security vulnerability in this project, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, use one of these methods:
- GitHub Security Advisories (preferred): Report a vulnerability
- Email: Open a private security advisory on the repository
This plugin is a collection of Markdown instructions and JSON configuration — it contains no executable runtime code. However, security concerns may include:
- Prompt injection via malicious spec files
- Unsafe commands in hook configurations
- Exposure of sensitive data through generated code
- Vulnerabilities in recommended external tools (Semgrep, Trivy, etc.)
We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 7 days for confirmed vulnerabilities.