firefrost-gaming/claude-skills-reference
3
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
659707e7c58d2c0fb8a84e6b11412afef863453f
claude-skills-reference/SECURITY.md
Reza Rezvani 496c484b06 feat: add complete GitHub repository pages and MIT License for open source 
Add professional open source repository setup with all essential GitHub
community health files, templates, and legal documentation.

Core Files Added (5):

1. **LICENSE**
   - Official MIT License
   - Copyright 2025 Alireza Rezvani
   - GitHub will automatically recognize and display
   - Enables commercial use, modification, distribution

2. **CONTRIBUTING.md**
   - Complete contribution guidelines
   - Skill creation standards following Anthropic spec
   - Python script quality requirements
   - Development workflow and PR process
   - Style guide (Python PEP 8, Markdown, commits)
   - Domain-specific guidelines
   - Quality checklist for contributors

3. **CODE_OF_CONDUCT.md**
   - Contributor Covenant 2.0 standard
   - Community standards and expectations
   - Enforcement guidelines
   - Incident reporting process

4. **SECURITY.md**
   - Vulnerability reporting process
   - Supported versions table
   - Response timelines by severity
   - Security best practices for users
   - Secure coding guidelines for contributors
   - Responsible disclosure policy

5. **CHANGELOG.md**
   - Keep a Changelog format
   - Complete version history from v1.0.0
   - Documents all 42 skills in initial release
   - Tracks Anthropic refactoring progress (v1.1.0)
   - GitHub pages addition (v1.0.2)
   - Semantic versioning with comparison links

GitHub Templates Added (5):

6. **.github/ISSUE_TEMPLATE/bug_report.md**
   - Standardized bug reporting
   - Environment details checklist
   - Reproduction steps required
   - Skill-specific context

7. **.github/ISSUE_TEMPLATE/feature_request.md**
   - New skill proposal template
   - Problem statement and use cases
   - ROI and value quantification
   - Python tools and references specification

8. **.github/ISSUE_TEMPLATE/skill_improvement.md**
   - Enhancement suggestions for existing skills
   - Specific change proposals
   - Value proposition requirement
   - Implementation willingness indicator

9. **.github/ISSUE_TEMPLATE/documentation.md**
   - Documentation issue reporting
   - Clear before/after examples
   - Affected audience specification
   - Link validation focus

10. **.github/pull_request_template.md**
    - Comprehensive PR checklist
    - Quality standards enforcement
    - Testing requirements
    - Documentation update verification
    - ROI value estimation

Benefits:

**For Repository:**
-  Professional open source appearance
-  GitHub recognizes LICENSE automatically
-  Community health score improves to 100%
-  Legal clarity (MIT License)
-  Security vulnerability process established

**For Contributors:**
-  Clear contribution guidelines
-  Standardized issue templates
-  Quality checklists
-  Expected behavior defined

**For Users:**
-  Transparent licensing
-  Security reporting process
-  Version history tracking
-  Professional community standards

Repository Status:
- All GitHub recommended community files present
- Open source best practices followed
- Ready for community contributions
- Professional project presentation

This completes the essential GitHub repository setup for a professional
open source project, making the Claude Skills Library contribution-ready
and community-friendly.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-28 12:04:00 +01:00

6.9 KiB
Raw Blame History

Security Policy

Supported Versions

We release updates and security fixes for the following versions:

Version Supported
1.x.x
< 1.0

All skills are currently at version 1.0.0 and receive active support.

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability within this repository, please follow these steps:

1. Do NOT Open a Public Issue

Please do not create a public GitHub issue for security vulnerabilities. This helps protect users while we work on a fix.

2. Contact Us Privately

Report security vulnerabilities through:

Primary Contact:

Information to Include:

  • Type of vulnerability
  • Full details of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if you have one)
  • Your contact information

3. Response Timeline

We aim to respond to security reports according to this timeline:

  • Initial Response: Within 48 hours
  • Vulnerability Assessment: Within 1 week
  • Fix Development: Based on severity (see below)
  • Public Disclosure: After fix is deployed

Severity Levels

Critical (24-48 hours):

  • Remote code execution
  • Unauthorized access to sensitive data
  • Privilege escalation

High (1 week):

  • Data exposure
  • Authentication bypass
  • Significant security weakness

Medium (2 weeks):

  • Cross-site scripting (XSS)
  • Information disclosure
  • Security misconfigurations

Low (1 month):

  • Minor information leaks
  • Best practice violations
  • Non-critical security improvements

Security Best Practices for Users

When Using Skills

1. Review Python Scripts Before Execution

Always review what a script does before running it:

# Read the script first
cat scripts/tool.py

# Check for:
# - External network calls
# - File system modifications
# - Environment variable access
# - Suspicious imports

2. Run Scripts in Sandboxed Environments

For untrusted or new scripts:

# Use virtual environments
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt

# Or use Docker
docker run -it --rm -v $(pwd):/work python:3.11 python /work/scripts/tool.py

3. Verify SKILL.md Content

Check that SKILL.md:

  • Doesn't request sensitive information
  • Has clear, documented workflows
  • Follows Anthropic's spec
  • Has valid YAML frontmatter

4. Use allowed-tools Restrictions

If a skill has allowed-tools in frontmatter, it's restricted to those tools only:

---
allowed-tools: Read, Grep, Glob
---

This provides an additional safety layer.

Security in Skill Development

Secure Coding Practices

For Python Scripts:

DO:

  • Validate all inputs
  • Use parameterized queries (if using databases)
  • Handle errors gracefully
  • Limit file system access to necessary directories
  • Use type hints for safety
  • Sanitize user input

DON'T:

  • Use eval() or exec() with user input
  • Execute shell commands with unsanitized input
  • Store credentials in code
  • Make unchecked network requests
  • Access sensitive system files
  • Use deprecated libraries with known vulnerabilities

Example - Secure Input Handling:

import os
import re

def safe_read_file(filename: str) -> str:
    """Safely read a file with validation."""
    # Validate filename
    if not re.match(r'^[a-zA-Z0-9._-]+$', filename):
        raise ValueError("Invalid filename")

    # Prevent directory traversal
    if '..' in filename or filename.startswith('/'):
        raise ValueError("Invalid file path")

    # Read from safe directory
    safe_dir = os.path.join(os.getcwd(), 'data')
    full_path = os.path.join(safe_dir, filename)

    # Verify path is within safe directory
    if not full_path.startswith(safe_dir):
        raise ValueError("Path outside safe directory")

    with open(full_path, 'r') as f:
        return f.read()

Dependency Management

Keep Dependencies Minimal:

  • Prefer Python standard library
  • Document all external dependencies
  • Pin dependency versions
  • Regularly update for security patches

Check Dependencies:

# Audit Python dependencies
pip install safety
safety check

# Or use pip-audit
pip install pip-audit
pip-audit

Vulnerability Disclosure Process

For Maintainers

When a vulnerability is reported:

  1. Acknowledge Receipt (48 hours)

    • Confirm we received the report
    • Provide expected timeline

  2. Assess Severity (1 week)

    • Evaluate impact and scope
    • Determine priority level
    • Assign severity rating

  3. Develop Fix (Based on severity)

    • Create patch in private branch
    • Test thoroughly
    • Prepare security advisory

  4. Deploy Fix

    • Merge to main
    • Tag new version
    • Publish GitHub security advisory

  5. Public Disclosure

    • Announce in CHANGELOG
    • Credit reporter (if desired)
    • Provide mitigation guidance

Security Features

Current Security Measures

Repository:

  • All skills open source (transparent review)
  • MIT License (clear usage terms)
  • No secrets or credentials committed
  • Clean .gitignore for sensitive files

Python Scripts:

  • Standard library preferred (minimal attack surface)
  • No network calls in core tools
  • File system access limited
  • Input validation implemented

Documentation:

  • Clear usage instructions
  • Security considerations documented
  • Best practices included
  • Safe examples provided

Planned Security Enhancements

v1.1.0:

  • Automated dependency scanning
  • GitHub Dependabot integration
  • Security advisories enabled
  • Vulnerability scanning in CI/CD

Responsible Disclosure

We appreciate security researchers who:

  • Report vulnerabilities responsibly
  • Give us time to fix before public disclosure
  • Provide detailed reproduction steps
  • Suggest potential fixes

Recognition

Security researchers who responsibly disclose will be:

  • Credited in CHANGELOG (if desired)
  • Mentioned in security advisory
  • Recognized in README (optional)
  • Thanked publicly on social media (with permission)

Contact

For security-related inquiries:

Please do not use public channels for security vulnerabilities.

Additional Resources

Thank you for helping keep the Claude Skills Library and its users safe!

Reference in New Issue View Git Blame Copy Permalink