If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Email the maintainers directly or use GitHub Security Advisories
- Include steps to reproduce, impact assessment, and suggested fix if possible
| Stage | Timeline |
|---|---|
| Acknowledgment | Within 24 hours |
| Initial Assessment | Within 72 hours |
| Fix for Critical Issues | Within 7 days |
| Public Disclosure | After fix is released |
| Version | Supported |
|---|---|
| 3.0.x | Yes |
| 2.1.x | No |
| 2.0.x | No |
| 1.x | No |
| < 1.0 | No |
AgentSpec generates and executes code through Claude Code. Keep these practices in mind:
- Review agent outputs before executing generated code in production
- Do not store secrets in KB domains, examples, or SDD documents
- Validate external data referenced in custom agents or KB patterns
- Use
.gitignoreto exclude sensitive files from SDD feature documents - Review PR diffs carefully when using
/create-pr— ensure no credentials are staged
This security policy covers the AgentSpec framework itself (agents, commands, templates, KB scaffolding). It does not cover:
- Code generated by agents during
/build(your responsibility to review) - Third-party KB domain content
- Claude Code or Anthropic API security (report to Anthropic)