diff --git a/docs/maintainers/security-findings-triage-2026-03-29-refresh.csv b/docs/maintainers/security-findings-triage-2026-03-29-refresh.csv
new file mode 100644
index 00000000..e3cb0019
--- /dev/null
+++ b/docs/maintainers/security-findings-triage-2026-03-29-refresh.csv
@@ -0,0 +1,34 @@
+finding_id,title,current_status,current_paths,validation_reason,evidence
+1,Unsanitized frontmatter name enables path traversal in sync script,obsolete/not reproducible on current HEAD,tools/scripts/sync_microsoft_skills.py,sync_microsoft_skills.py now sanitizes flat names and constrains delete/copy targets to safe in-repo paths.,tools/scripts/tests/test_sync_microsoft_skills_security.py
+2,Stored XSS via rehype-raw rendering of skill markdown,obsolete/not reproducible on current HEAD,apps/web-app/src/pages/SkillDetail.tsx,SkillDetail still renders markdown without rehype-raw; the reported stored-XSS path does not reproduce.,apps/web-app/src/pages/SkillDetail.tsx
+3,Symlink-following copy leaks host files in setup_web,obsolete/not reproducible on current HEAD,tools/scripts/setup_web.js,setup_web.js now uses lstatSync plus resolveSafeRealPath() and skips out-of-root symlinks.,tools/scripts/tests/copy_security.test.js
+4,Insecure install guidance allows remote script execution,obsolete/not reproducible on current HEAD,skills/apify-actorization/SKILL.md,The Apify skill no longer recommends pipe-to-shell installs or token-on-command-line login.,skills/apify-actorization/SKILL.md
+5,"setup_web.js now follows symlinks, enabling file exfiltration",duplicate of another finding,tools/scripts/setup_web.js,Same root cause/fix area as finding 3.,tools/scripts/setup_web.js
+6,Symlink traversal in web asset setup copies arbitrary files,duplicate of another finding,tools/scripts/setup_web.js,Same root cause/fix area as finding 3.,tools/scripts/setup_web.js
+7,Symlink file copying in .github/skills sync leaks host files,obsolete/not reproducible on current HEAD,tools/scripts/sync_microsoft_skills.py,Microsoft sync now rejects unsafe symlink targets and only accepts safe regular files that stay within the cloned source root.,tools/scripts/tests/test_sync_microsoft_skills_security.py
+8,Symlinked file copy in Microsoft skill sync can leak host data,duplicate of another finding,tools/scripts/sync_microsoft_skills.py,Same root cause/fix area as finding 7.,tools/scripts/sync_microsoft_skills.py
+9,Committed Python bytecode can hide malicious logic,obsolete/not reproducible on current HEAD,skills/ui-ux-pro-max/scripts/__pycache__,Tracked __pycache__ artifacts are absent on current main and repo hygiene tests fail if they reappear.,tools/scripts/tests/repo_hygiene_security.test.js
+10,Symlinked SKILL.md can leak host files via index script,obsolete/not reproducible on current HEAD,tools/scripts/generate_index.py,generate_index.py now ignores symlinked SKILL.md files during index generation.,tools/scripts/tests/test_frontmatter_parsing_security.py
+11,"Example loader trusts manifest paths, enabling file read",obsolete/not reproducible on current HEAD,docs/integrations/jetski-gemini-loader/loader.mjs,The Jetski loader rejects symlinked skill directories/files and any resolved SKILL.md outside the configured skills root.,tools/scripts/tests/jetski_gemini_loader.test.cjs
+12,TLS certificate verification disabled in new scrapers,obsolete/not reproducible on current HEAD,skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py,TLS verification is enabled by default again; insecure behavior requires an explicit opt-out environment flag.,skills/junta-leiloeiros/scripts/scraper/base_scraper.py
+13,Complete bundle omits valid skill categories,obsolete/not reproducible on current HEAD,tools/lib/skill-filter.js | tools/scripts/build-catalog.js | data/bundles.json,The old helper-path omission still does not drive shipped bundle output; current bundles come from build-catalog.js.,tools/scripts/build-catalog.js
+14,Malformed frontmatter delimiter breaks YAML parsing for skills,obsolete/not reproducible on current HEAD,skills/alpha-vantage/SKILL.md,The malformed --- Unknown frontmatter regression is no longer present in alpha-vantage.,tools/scripts/tests/repo_hygiene_security.test.js
+15,ws_listener writes sensitive events to predictable /tmp files,obsolete/not reproducible on current HEAD,skills/videodb/scripts/ws_listener.py,ws_listener.py now defaults to a user-owned state directory and uses secure file creation.,tools/scripts/tests/local_temp_safety.test.js
+16,Symlink traversal lets /skills/ serve arbitrary local files,obsolete/not reproducible on current HEAD,apps/web-app/refresh-skills-plugin.js,refresh-skills-plugin.js resolves real paths under the skills root before serving /skills/*; the public Pages app no longer exposes the maintainer sync surface.,apps/web-app/refresh-skills-plugin.js
+17,Sync Skills endpoint follows symlinks from downloaded archive,duplicate of another finding,apps/web-app/refresh-skills-plugin.js,Same root cause/fix area as finding 16.,apps/web-app/refresh-skills-plugin.js
+18,Validation crash if YAML frontmatter is not a mapping,obsolete/not reproducible on current HEAD,tools/scripts/validate_skills.py,validate_skills.py now rejects non-mapping YAML frontmatter cleanly instead of crashing downstream validation.,tools/scripts/tests/test_frontmatter_parsing_security.py
+19,Anonymous Supabase writes allow skill star tampering,obsolete/not reproducible on current HEAD,apps/web-app/src/hooks/useSkillStars.ts | apps/web-app/src/lib/supabase.ts,useSkillStars now stores saves locally in the browser and no longer performs shared frontend writes through the public Supabase client.,apps/web-app/src/hooks/useSkillStars.ts
+20,Metadata fixer overwrites symlinked SKILL.md targets,obsolete/not reproducible on current HEAD,tools/scripts/fix_skills_metadata.py,fix_skills_metadata.py now skips symlinked SKILL.md files and non-mapping frontmatter.,tools/scripts/fix_skills_metadata.py
+21,Installer now dereferences symlinks during copy,obsolete/not reproducible on current HEAD,tools/bin/install.js,install.js now uses lstatSync plus resolveSafeRealPath() and skips symlinks that resolve outside the cloned repo root.,tools/scripts/tests/copy_security.test.js
+22,Installer merge path dereferences symlinks when copying,duplicate of another finding,tools/bin/install.js,Same root cause/fix area as finding 21.,tools/bin/install.js
+23,Cleanup sync deletes arbitrary paths via flat_name,duplicate of another finding,tools/scripts/sync_microsoft_skills.py,Same root cause/fix area as finding 1.,tools/scripts/sync_microsoft_skills.py
+24,Audio transcription example allows Python code injection,obsolete/not reproducible on current HEAD,skills/audio-transcriber/examples/basic-transcription.sh,The audio transcription example now uses a quoted heredoc and passes values via environment variables.,skills/audio-transcriber/examples/basic-transcription.sh
+25,Unbounded recursive skill traversal can crash catalog build,obsolete/not reproducible on current HEAD,tools/lib/skill-utils.js | tools/scripts/build-catalog.js,The claimed recursive symlink traversal in catalog discovery still does not reproduce on current code paths.,tools/lib/skill-utils.js
+26,Release scripts still use root skills_index.json path,obsolete/not reproducible on current HEAD,tools/scripts/update_readme.py | tools/scripts/generate_index.py | tools/scripts/release_workflow.js,"Root skills_index.json remains the canonical generated index, so the reported release-script path mismatch does not reproduce.",tools/scripts/release_workflow.js
+27,Symlink traversal in skill normalization allows file overwrite,obsolete/not reproducible on current HEAD,tools/lib/skill-utils.js | tools/scripts/normalize-frontmatter.js,"skill-utils.js now relies on lstatSync-based safe directory/file discovery, so normalization does not treat symlinked skill folders as writable local skills.",tools/lib/skill-utils.js
+28,last30days skill passes user input directly to Bash command,obsolete/not reproducible on current HEAD,skills/last30days/SKILL.md,"The last30days skill still passes user input as a quoted value through a temp file, so the reported direct shell-injection sink does not reproduce.",skills/last30days/SKILL.md
+29,Unvalidated YAML frontmatter can crash index generation,duplicate of another finding,tools/scripts/generate_index.py,Same root cause/fix area as finding 18.,tools/scripts/generate_index.py
+30,Predictable /tmp counter file enables local file clobbering,obsolete/not reproducible on current HEAD,skills/cc-skill-strategic-compact/suggest-compact.sh,The strategic compact hook now stores state under XDG_STATE_HOME instead of predictable shared /tmp paths.,tools/scripts/tests/local_temp_safety.test.js
+31,Symlink traversal risk in new sync script,obsolete/not reproducible on current HEAD,tools/scripts/sync_recommended_skills.sh,sync_recommended_skills.sh now preserves symlinks with cp -RP and avoids the destructive glob-delete pattern from the original report.,tools/scripts/tests/repo_hygiene_security.test.js
+32,skills_manager allows path traversal in enable/disable operations,obsolete/not reproducible on current HEAD,tools/scripts/skills_manager.py,skills_manager.py now resolves candidate paths relative to the intended base directory and rejects traversal attempts.,tools/scripts/tests/test_skills_manager_security.py
+33,Zip Slip risk in Office unpack scripts,obsolete/not reproducible on current HEAD,skills/docx-official/ooxml/scripts/unpack.py | skills/pptx-official/ooxml/scripts/unpack.py,The Office unpack helpers now validate archive members and reject traversal/symlink-style entries before extraction.,tools/scripts/tests/test_office_unpack_security.py
diff --git a/docs/maintainers/security-findings-triage-2026-03-29-refresh.md b/docs/maintainers/security-findings-triage-2026-03-29-refresh.md
index 34b581c8..eaa9d5ba 100644
--- a/docs/maintainers/security-findings-triage-2026-03-29-refresh.md
+++ b/docs/maintainers/security-findings-triage-2026-03-29-refresh.md
@@ -8,6 +8,8 @@ baseline.
 - Current verification target: `main@d63d99381b8f613f99c8cb7b758e7879b401f8a0`
 - The 2026-03-15 markdown file and CSV remain useful as historical input, not
   as the current source of truth.
+- A machine-readable companion export for this refresh lives at
+  [`security-findings-triage-2026-03-29-refresh.csv`](security-findings-triage-2026-03-29-refresh.csv).
 - Status meanings are unchanged:
   `still present and exploitable`, `still present but low practical risk`,
   `obsolete/not reproducible on current HEAD`, `duplicate of another finding`.
diff --git a/walkthrough.md b/walkthrough.md
index 24055f26..fec80e68 100644
--- a/walkthrough.md
+++ b/walkthrough.md
@@ -1,6 +1,7 @@
 # Maintenance Walkthrough - 2026-03-29
 
 - Re-triaged the full 2026-03-15 security finding set against current `main` and wrote a fresh current-head report in `docs/maintainers/security-findings-triage-2026-03-29-refresh.md`.
+- Added a matching machine-readable export at `docs/maintainers/security-findings-triage-2026-03-29-refresh.csv` so the refreshed statuses are available in both markdown and CSV form.
 - Kept the old `2026-03-15` markdown/CSV as historical baseline input, preserved the smaller `2026-03-29` addendum as a transition note, and pointed both docs at the new refresh as the current source of truth.
 - The refreshed triage currently lands at:
   - `0` findings still present and exploitable