Do not open a public issue for security vulnerabilities.

To report a security vulnerability, please use GitHub's private security advisory feature.

• Description of the vulnerability
• Steps to reproduce
• Which skills, schemas, or tools are affected
• Potential impact assessment
• Suggested fix (if you have one)

• Acknowledgment: Within 7 days of report
• Assessment: Within 14 days of acknowledgment
• Fix or mitigation: Within 30 days for confirmed vulnerabilities

Marlin is a skills-based repository. Security concerns may include:

• Prompt injection via crafted input that bypasses intent parsing
• Schema validation bypass allowing malformed output
• Tool scripts (Python) with command injection or path traversal risks
• GitHub Actions workflow vulnerabilities
• Sensitive data leakage through benchmark or test fixtures

• Vulnerabilities in upstream LLM providers (Anthropic, OpenAI, Google)
• Issues in agent platforms (Claude Code, Cursor, Gemini CLI)
• Token estimation inaccuracy (this is a known approximation, not a security issue)

We follow coordinated disclosure. We will credit reporters in the CHANGELOG unless anonymity is requested.