If you discover a security vulnerability in skit, please do not open a public issue.

Instead:

1. Email balgaly@gmail.com with a description of the vulnerability
2. Include steps to reproduce if possible
3. Allow reasonable time for a fix before any public disclosure

• Acknowledgment: Within 48 hours
• Initial assessment: Within 7 days
• Fix: Depends on severity — critical issues are prioritized

This policy covers the skit CLI tool and its npm package. It does not cover third-party skills installed via skit.

• Skills are installed from Git repositories — users should verify skill sources before installing
• No telemetry or data collection
• No credentials stored by the tool

Security reports are taken seriously. Contributors who responsibly disclose vulnerabilities will be credited (unless they prefer to remain anonymous).