firefrost-gaming/claude-skills-reference
3
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
claude-skills-reference/SECURITY.md
Reza Rezvani 496c484b06 feat: add complete GitHub repository pages and MIT License for open source 
Add professional open source repository setup with all essential GitHub
community health files, templates, and legal documentation.

Core Files Added (5):

1. **LICENSE**
   - Official MIT License
   - Copyright 2025 Alireza Rezvani
   - GitHub will automatically recognize and display
   - Enables commercial use, modification, distribution

2. **CONTRIBUTING.md**
   - Complete contribution guidelines
   - Skill creation standards following Anthropic spec
   - Python script quality requirements
   - Development workflow and PR process
   - Style guide (Python PEP 8, Markdown, commits)
   - Domain-specific guidelines
   - Quality checklist for contributors

3. **CODE_OF_CONDUCT.md**
   - Contributor Covenant 2.0 standard
   - Community standards and expectations
   - Enforcement guidelines
   - Incident reporting process

4. **SECURITY.md**
   - Vulnerability reporting process
   - Supported versions table
   - Response timelines by severity
   - Security best practices for users
   - Secure coding guidelines for contributors
   - Responsible disclosure policy

5. **CHANGELOG.md**
   - Keep a Changelog format
   - Complete version history from v1.0.0
   - Documents all 42 skills in initial release
   - Tracks Anthropic refactoring progress (v1.1.0)
   - GitHub pages addition (v1.0.2)
   - Semantic versioning with comparison links

GitHub Templates Added (5):

6. **.github/ISSUE_TEMPLATE/bug_report.md**
   - Standardized bug reporting
   - Environment details checklist
   - Reproduction steps required
   - Skill-specific context

7. **.github/ISSUE_TEMPLATE/feature_request.md**
   - New skill proposal template
   - Problem statement and use cases
   - ROI and value quantification
   - Python tools and references specification

8. **.github/ISSUE_TEMPLATE/skill_improvement.md**
   - Enhancement suggestions for existing skills
   - Specific change proposals
   - Value proposition requirement
   - Implementation willingness indicator

9. **.github/ISSUE_TEMPLATE/documentation.md**
   - Documentation issue reporting
   - Clear before/after examples
   - Affected audience specification
   - Link validation focus

10. **.github/pull_request_template.md**
    - Comprehensive PR checklist
    - Quality standards enforcement
    - Testing requirements
    - Documentation update verification
    - ROI value estimation

Benefits:

**For Repository:**
-  Professional open source appearance
-  GitHub recognizes LICENSE automatically
-  Community health score improves to 100%
-  Legal clarity (MIT License)
-  Security vulnerability process established

**For Contributors:**
-  Clear contribution guidelines
-  Standardized issue templates
-  Quality checklists
-  Expected behavior defined

**For Users:**
-  Transparent licensing
-  Security reporting process
-  Version history tracking
-  Professional community standards

Repository Status:
- All GitHub recommended community files present
- Open source best practices followed
- Ready for community contributions
- Professional project presentation

This completes the essential GitHub repository setup for a professional
open source project, making the Claude Skills Library contribution-ready
and community-friendly.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-28 12:04:00 +01:00

295 lines
6.9 KiB
Markdown
Raw Permalink Blame History

# Security Policy
## Supported Versions
We release updates and security fixes for the following versions:
| Version | Supported |
| ------- | ------------------ |
| 1.x.x | :white_check_mark: |
| < 1.0 | :x: |
All skills are currently at version 1.0.0 and receive active support.
## Reporting a Vulnerability
We take security seriously. If you discover a security vulnerability within this repository, please follow these steps:
### 1. Do NOT Open a Public Issue
Please **do not** create a public GitHub issue for security vulnerabilities. This helps protect users while we work on a fix.
### 2. Contact Us Privately
Report security vulnerabilities through:
**Primary Contact:**
- **Website:** [alirezarezvani.com](https://alirezarezvani.com) (use contact form)
- **Medium:** [@alirezarezvani](https://medium.com/@alirezarezvani) (private message)
**Information to Include:**
- Type of vulnerability
- Full details of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Your contact information
### 3. Response Timeline
We aim to respond to security reports according to this timeline:
- **Initial Response:** Within 48 hours
- **Vulnerability Assessment:** Within 1 week
- **Fix Development:** Based on severity (see below)
- **Public Disclosure:** After fix is deployed
### Severity Levels
**Critical (24-48 hours):**
- Remote code execution
- Unauthorized access to sensitive data
- Privilege escalation
**High (1 week):**
- Data exposure
- Authentication bypass
- Significant security weakness
**Medium (2 weeks):**
- Cross-site scripting (XSS)
- Information disclosure
- Security misconfigurations
**Low (1 month):**
- Minor information leaks
- Best practice violations
- Non-critical security improvements
---
## Security Best Practices for Users
### When Using Skills
**1. Review Python Scripts Before Execution**
Always review what a script does before running it:
```bash
# Read the script first
cat scripts/tool.py
# Check for:
# - External network calls
# - File system modifications
# - Environment variable access
# - Suspicious imports
```
**2. Run Scripts in Sandboxed Environments**
For untrusted or new scripts:
```bash
# Use virtual environments
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
# Or use Docker
docker run -it --rm -v $(pwd):/work python:3.11 python /work/scripts/tool.py
```
**3. Verify SKILL.md Content**
Check that SKILL.md:
- Doesn't request sensitive information
- Has clear, documented workflows
- Follows Anthropic's spec
- Has valid YAML frontmatter
**4. Use allowed-tools Restrictions**
If a skill has `allowed-tools` in frontmatter, it's restricted to those tools only:
```yaml
---
allowed-tools: Read, Grep, Glob
---
```
This provides an additional safety layer.
---
## Security in Skill Development
### Secure Coding Practices
**For Python Scripts:**
**DO:**
- ✅ Validate all inputs
- ✅ Use parameterized queries (if using databases)
- ✅ Handle errors gracefully
- ✅ Limit file system access to necessary directories
- ✅ Use type hints for safety
- ✅ Sanitize user input
**DON'T:**
- ❌ Use eval() or exec() with user input
- ❌ Execute shell commands with unsanitized input
- ❌ Store credentials in code
- ❌ Make unchecked network requests
- ❌ Access sensitive system files
- ❌ Use deprecated libraries with known vulnerabilities
**Example - Secure Input Handling:**
```python
import os
import re
def safe_read_file(filename: str) -> str:
"""Safely read a file with validation."""
# Validate filename
if not re.match(r'^[a-zA-Z0-9._-]+$', filename):
raise ValueError("Invalid filename")
# Prevent directory traversal
if '..' in filename or filename.startswith('/'):
raise ValueError("Invalid file path")
# Read from safe directory
safe_dir = os.path.join(os.getcwd(), 'data')
full_path = os.path.join(safe_dir, filename)
# Verify path is within safe directory
if not full_path.startswith(safe_dir):
raise ValueError("Path outside safe directory")
with open(full_path, 'r') as f:
return f.read()
```
### Dependency Management
**Keep Dependencies Minimal:**
- Prefer Python standard library
- Document all external dependencies
- Pin dependency versions
- Regularly update for security patches
**Check Dependencies:**
```bash
# Audit Python dependencies
pip install safety
safety check
# Or use pip-audit
pip install pip-audit
pip-audit
```
---
## Vulnerability Disclosure Process
### For Maintainers
When a vulnerability is reported:
1. **Acknowledge Receipt** (48 hours)
- Confirm we received the report
- Provide expected timeline
2. **Assess Severity** (1 week)
- Evaluate impact and scope
- Determine priority level
- Assign severity rating
3. **Develop Fix** (Based on severity)
- Create patch in private branch
- Test thoroughly
- Prepare security advisory
4. **Deploy Fix**
- Merge to main
- Tag new version
- Publish GitHub security advisory
5. **Public Disclosure**
- Announce in CHANGELOG
- Credit reporter (if desired)
- Provide mitigation guidance
---
## Security Features
### Current Security Measures
**Repository:**
- All skills open source (transparent review)
- MIT License (clear usage terms)
- No secrets or credentials committed
- Clean .gitignore for sensitive files
**Python Scripts:**
- Standard library preferred (minimal attack surface)
- No network calls in core tools
- File system access limited
- Input validation implemented
**Documentation:**
- Clear usage instructions
- Security considerations documented
- Best practices included
- Safe examples provided
### Planned Security Enhancements
**v1.1.0:**
- Automated dependency scanning
- GitHub Dependabot integration
- Security advisories enabled
- Vulnerability scanning in CI/CD
---
## Responsible Disclosure
We appreciate security researchers who:
- Report vulnerabilities responsibly
- Give us time to fix before public disclosure
- Provide detailed reproduction steps
- Suggest potential fixes
### Recognition
Security researchers who responsibly disclose will be:
- Credited in CHANGELOG (if desired)
- Mentioned in security advisory
- Recognized in README (optional)
- Thanked publicly on social media (with permission)
---
## Contact
For security-related inquiries:
- **Website:** [alirezarezvani.com](https://alirezarezvani.com)
- **Blog:** [medium.com/@alirezarezvani](https://medium.com/@alirezarezvani)
- **GitHub Issues:** For non-security bugs only
**Please do not use public channels for security vulnerabilities.**
---
## Additional Resources
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Python Security Best Practices](https://python.readthedocs.io/en/stable/library/security_warnings.html)
- [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories)
---
Thank you for helping keep the Claude Skills Library and its users safe!
Reference in New Issue View Git Blame Copy Permalink