Skip to content

Security: wochaotom/Stack-Setup-Curated

Security

SECURITY.md

Security Policy

This repo contains agent skills and scripts that can influence how coding agents read, write, verify, and sync local workspaces. Treat prompt-injection, unsafe shell behavior, and supply-chain drift as security issues.

Reportable Issues

Please report:

  • prompt-injection directives inside bundled skills,
  • fetch-and-execute patterns,
  • dynamic PowerShell execution,
  • credential-shaped secrets in skills, docs, fixtures, or logs,
  • converter path traversal or writes outside the requested output root,
  • sync behavior that overwrites unexpected locations,
  • false-success exits for blocked or unsupported conversions,
  • platform adapter claims backed by unofficial or unsafe sources.

Current Guardrails

Run:

& .\scripts\scan_skills.ps1
& .\scripts\harness_test.ps1
& .\skills\stack-setup-audit\scripts\self_test.ps1 -Path (Get-Location)
& .\skills\stack-setup-audit\scripts\fixture_test.ps1
& .\scripts\sync_skills.ps1

The scanner rejects direct prompt-injection phrases, dynamic PowerShell execution, fetch-and-execute pipelines, and credential-shaped secret literals in bundled skill files.

Disclosure

There is no bounty program. If GitHub private security advisories are available for this repository, use them. Otherwise, open a minimal public issue that does not include live credentials, private paths, or exploit details beyond what is needed to reproduce safely.

There aren't any published security advisories