Skip to content

Security: agent-shells/powershell-skills

Security

SECURITY.md

Security Policy

Supported Versions

Security fixes are accepted on main. The latest tagged release is the supported release line.

Version Supported
v0.3.x Yes
v0.2.x No, upgrade to v0.3.x
v0.1.x No, upgrade to v0.3.x

Reporting a Vulnerability

Open a private security report through GitHub if available, or open a minimal public issue that does not include secrets or exploitable private details.

Do not include:

  • credentials, tokens, API keys, cookies, or private keys
  • raw logs from private projects
  • private repository names
  • private filesystem paths
  • customer data
  • proprietary source code

Security Boundaries

This project must not:

  • bypass Codex, Claude Code, OS, shell, GitHub, or workspace permission rules
  • add automatic failure upload, telemetry, scheduled collection, or raw context submission
  • execute destructive filesystem operations without explicit target validation
  • hide command execution from the agent surface or user permission model

Maintainer Response

Maintainers should triage security reports by impact:

  • critical: credential exposure, privilege bypass, destructive execution without validation
  • high: command injection, unsafe path handling, unsafe default install/update behavior
  • medium: privacy leak in docs, logs, examples, or failure corpus
  • low: hardening or documentation-only issues

Accepted fixes should include a regression test when practical.

There aren't any published security advisories