If you discover a security issue in Awesome Omni Skills, do not open a public issue first.
Please report through one of these private channels:
| Channel | How |
|---|---|
| ๐ GitHub Security Advisory | Open a private advisory |
| ๐ง Direct Contact | Contact the maintainers directly |
- ๐ Affected component or path
- ๐ Reproduction steps
โ ๏ธ Impact assessment- ๐งช Any proof-of-concept material needed to verify the issue
โฑ๏ธ We aim to acknowledge reports within 48 hours and prioritize fixes according to impact.
This policy covers the repository's runtime and content surfaces:
| Component | Path |
|---|---|
| ๐ฅ๏ธ CLI and installer | packages/cli/ |
| ๐ Shared catalog runtime | packages/catalog-core/ |
| ๐ Install targets | packages/install-targets/ |
| โ๏ธ Build and validation scripts | tools/scripts/ |
| ๐ฆ Generated catalog artifacts | dist/ |
| ๐ API, MCP, and A2A packages | packages/server-api/ ยท packages/server-mcp/ ยท packages/server-a2a/ |
| ๐ง Skill content | skills/ โ especially shell commands, network access, credential flows, or security-sensitive guidance |
The repository relies on the following security controls:
| Control | Description |
|---|---|
| ๐ท๏ธ Risk field | Skill metadata includes a declared risk level |
| ๐ Scoring | Validation computes maturity, best-practices, quality, and security scores |
| ๐ Static scanner | Inspects SKILL.md, packaged files, and helper scripts, and blocks critical findings from entering the public catalog |
| ๐ฆ Release malware verification | Published releases are verified with both ClamAV and VirusTotal before publication |
The public repository does not accept skills that trip the critical security gate. Current hard blockers include:
- remote content piped directly into shell execution
- instructions that attempt to reveal prompts, secrets, or hidden runtime context
When the validator finds one of those patterns, the skill does not enter the public catalog. In external-repository intake, valid siblings may still continue while the blocked skills are excluded and reported separately.
| Control | Description |
|---|---|
| ๐ Path safety | Install flows use path safety checks |
| ๐ Allowlist writes | Local MCP sidecar writes constrained by an allowlist |
| ๐๏ธ Dry-run defaults | Write-oriented tools default to dry-run unless explicitly disabled |
| ๐ Auth & limits | Bearer/API-key auth, admin runtime auth, rate limiting, CORS/IP allowlists |
| ๐ Audit | Audit logging, maintenance mode, and request IDs |
| Control | Description |
|---|---|
| โ Checksum manifests | SHA-256 checksums for generated archives |
| โ๏ธ Signatures | Detached signature verification in CI before publication |
| ๐ฆ Dual scanner gate | ClamAV and VirusTotal both required to complete cleanly for release publication |
| ๐งช Smoke checks | Exercise shipped runtime surfaces before release |
The main security work remaining is not baseline hardening. The open items are:
| Area | Status |
|---|---|
| ๐ข Enterprise governance | External identity, gateway policy, and WAF integration above current in-process controls |
| ๐ MCP client writers | Broader writers only when public config contracts are stable enough |
| ๐ Scanner refinement | Continued refinement so exceptional skills stay clearly separated from merely well-structured ones |
Each skill declares one of these risk levels:
| Risk Level | Meaning |
|---|---|
๐ข safe |
No destructive operations expected |
๐ก caution |
May modify files or interact with external systems |
๐ด offensive |
Security-testing or adversarial workflows requiring explicit authorization |
โ critical |
High-impact or system-level operations |
Because Awesome Omni Skills ships executable helpers, filesystem-aware local tooling, and client-specific config writers, these vulnerability classes should be treated as high priority even if they appear "local only":
| Category | Examples |
|---|---|
| ๐ Path traversal | Directory escape via skill install or config paths |
| ๐ Symlink safety | Symlink following during install or archive extraction |
| ๐ฅ๏ธ Command execution | Arbitrary command injection via skill content or scripts |
| ๐ฆ Archive verification | Bypass of checksum or signature verification |
| ๐ Auth bypass | Rate-limiting or authentication bypass on API/MCP |
| ๐ Allowlist bypass | Local sidecar allowlist circumvention |
| ๐ฆ Scanner evasion | False-negative classes in static or external scanners |