skill-cli is pre-1.0 and actively developed. Security fixes are applied to the
latest main and the most recent release only.
| Version | Supported |
|---|---|
| 0.1.x | β latest release |
| < 0.1 | β not supported |
Please do not open a public GitHub issue for security problems.
Instead, report vulnerabilities privately:
- π§ Email: victor@tomaili.com
- Or use GitHub's private vulnerability reporting
Please include:
- A description of the issue and its impact.
- Steps to reproduce (a minimal command + input is ideal).
- The affected version (
skill --version) and your OS / Node version. - Any suggested fix, if you have one.
- Acknowledgement: within 48 hours.
- Initial assessment: within 5 business days.
- Fix or mitigation: targeted for the next patch release, depending on severity.
We will credit reporters in the release/changelog unless you prefer to remain anonymous.
skill-cli fetches skill packages from arbitrary sources (install), writes to
~/.skill-cli, and injects an instruction block into your agent config files.
We take the following especially seriously:
- Path traversal during
install/update(writing outside the store). - Arbitrary code execution via the
npx skills addspawn, especially on Windows (cmd.exeshell-metacharacter handling). - Corruption or data loss in your agent instruction files
(
CLAUDE.md/AGENTS.md/GEMINI.md) duringinit -g.
Out of scope (by design / delegated):
- The contents of third-party skills fetched via
npx skillsβ review what you install, just like any package. skill-cli installs into an isolated store and never copies into agent directories. - Vulnerabilities in
npx skillsitself β report those upstream.
install/updatedest names are sanitized (SAFE_NAME) β a malicious frontmattername: ../xcan't escape the store.updatecase-folds skill names, so an unknown name can't reach a store path.- The Windows
npxspawn usesshell:falsewith an args array and rejects sources containing shell metacharacters (& | < > ^). init -ginjection is wrapped in idempotent markers and preserves existing file content.