Skip to content

Security: rmonier/agent-smith

Security

SECURITY.md

Security Policy

Reporting a vulnerability

If you believe you've found a security issue in agent-smith — for example, a way the skills could be tricked into exfiltrating repository content, installing unpinned/unverified tooling, or bypassing the consent-first install and data-flow-disclosure model — please report it privately rather than opening a public issue.

Preferred: use GitHub's private vulnerability reporting for this repository. Alternatively, reach the maintainer via GitHub.

Please include:

  • The skill or script involved and, if applicable, the harness/provider combination that reproduces it.
  • Steps to reproduce, or the specific data flow you're concerned about.
  • The potential impact as you see it (what an attacker or a misconfigured agent could actually do).

What's in scope

The three product skills (agent-ready-context, skill-creator, subagent-profile-adapter) and their bundled scripts. Issues in the vendored openkb/graphify tool skills should generally be reported upstream to those projects, unless the issue is specifically in how this repository pins, vendors, or invokes them.

Design background

This project's security and privacy model — consent-first installs, pinned/integrity-checked tooling, explicit provider routing, data-flow disclosure before LLM calls — is documented in README.md § Security and Privacy. Read that first; many "is this safe?" questions are already answered there.

Response

There's no formal SLA — this is a single-maintainer project — but reports will be acknowledged and triaged as soon as practical, and credited in the fix unless you ask otherwise.

There aren't any published security advisories