If you discover a security vulnerability in this repository, please report it privately. Do not open a public GitHub issue.
The fastest way to report is via GitHub's private vulnerability reporting:
- Go to the Security tab of this repository
- Click Report a vulnerability
- Fill out the form with as much detail as possible
This keeps the report confidential while we investigate.
You can also email the security team directly at security@rampstack.co.
When reporting, please include:
- A description of the vulnerability
- Steps to reproduce
- The potential impact
- Any suggested mitigation, if you have one
- Whether you would like public credit when the fix ships
- Acknowledgment within 3 business days
- Initial assessment within 7 business days, including a severity classification
- Status updates every 7 days while the fix is in progress
- Public disclosure coordinated with the reporter once a fix is available
This repository is a Claude Code plugin marketplace. The only files it ships are the marketplace manifest (.claude-plugin/marketplace.json), the marketplace documentation, and the validation workflow. The most likely security concerns here are:
- Marketplace manifest tampering that would redirect a plugin source to an unintended repository
- Misleading documentation that could lead a user to install an unintended plugin or marketplace
- CI workflow vulnerabilities in the manifest validation pipeline
The following are not security vulnerabilities for this repository:
- Issues with the skill content itself. Skill content lives in the source catalog at rampstackco/claude-skills; report those there.
- Issues with an individual plugin's source repository. Report those to the corresponding plugin repo: claude-skills-starter, claude-skills-seo, or claude-skills-pm.
- Issues with how Claude itself handles plugins. Report those to Anthropic.
- Issues with third-party tools recommended in any skill (Ahrefs MCP, GitHub MCP, etc.). Report those to the respective vendors.
- General feedback or suggestions on plugin packaging. Use Issues for those.
We thank security researchers who responsibly disclose vulnerabilities. With permission, we will list contributors who help keep this repository safe in this section.
No reports yet.
Thank you for helping keep this project and its users safe.