| Version | Supported |
|---|---|
| 1.x | ✅ Active support |
| < 1.0 | ❌ Not supported |
Please do not open a public GitHub issue for security vulnerabilities.
This repository distributes its primary installer via curl | bash, which makes responsible disclosure especially important. If you discover a security issue — including but not limited to path traversal in the installer, hook injection, DNS rebinding in update checks, or credential leakage — report it privately before any public disclosure.
Contact: dersonsena@gmail.com
Subject line: [SECURITY] dev-team-agents — <brief description>
Expected response time: 72 hours for acknowledgement, 7 days for a resolution timeline.
- A description of the vulnerability and the affected component (
scripts/install.sh, a hook, an agent, etc.) - Steps to reproduce or a proof-of-concept (redacted as needed)
- Your assessment of impact and exploitability
- Whether you have already applied any mitigations
We follow coordinated disclosure:
- You report privately.
- We acknowledge within 72 hours.
- We agree on a fix timeline (target: ≤ 14 days for critical issues).
- We publish a fix and credit the reporter (unless you prefer to stay anonymous).
- You may disclose publicly after the fix is released.
| In scope | Out of scope |
|---|---|
scripts/install.sh and scripts/update.sh |
Issues in third-party tools invoked by agents |
Hook scripts in scripts/hooks/ |
Claude model behavior or Anthropic API issues |
| Agent instructions that could cause harmful actions | Issues in the user's own project (not this repo) |
Update check mechanism (01-check-updates.sh) |
This repository has GitHub's Private Vulnerability Reporting enabled. You can also use the "Report a vulnerability" button in the Security tab of this repository.