Do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.

Use the repository's private vulnerability reporting channel if available. If private vulnerability reporting is unavailable, contact a project maintainer privately and avoid public disclosure until the maintainers have had a reasonable opportunity to investigate and coordinate a fix.

Maintainers will acknowledge valid security reports as soon as practical, investigate the affected versions and components, coordinate remediation, and publish an advisory or release note when disclosure is appropriate.

Changes touching the following areas require security review before merge:

• Skill manifests that request network access.
• Skill manifests or implementations that persist user data.
• Secret handling, credentials, tokens, or authentication material.
• Dependency changes that add native code or unknown licensing.
• Skill safety declarations, resource declarations, or output contracts.
• Schema changes that affect sandbox, runtime, network, or data retention behavior.
• Examples that call external APIs or process private user content.

This policy applies to the Skill-Plus specification, JSON Schema, official Skills, SDKs, CLI, examples, and repository automation.

Contributors are responsible for ensuring that their submissions do not include secrets, proprietary code, private data, or third-party confidential material. AI-assisted contributions must be reviewed by the contributor for correctness, licensing, and security before submission.