Only the latest release receives security fixes. If you are running an older version, please upgrade first.

Please do not open a public GitHub issue for security vulnerabilities.

Report security issues privately via GitHub's built-in vulnerability reporting:

1. Go to the Security tab of this repository.
2. Click "Report a vulnerability".
3. Fill in the details — what you found, how to reproduce it, and the potential impact.

A response will be sent within 48 hours and a fix will be prioritised accordingly.

• Vulnerabilities that allow reading or exfiltrating API keys
• Path traversal or arbitrary file read/write in .prompt file parsing
• Code injection through variable substitution
• Dependency vulnerabilities with a realistic exploitation path

• Issues in third-party AI provider SDKs (Anthropic, OpenAI, Ollama) — report those upstream
• "prompt-run sends my prompt to OpenAI" — this is intentional and documented behavior
• Social engineering or phishing attacks

Once a fix is available and released:

• A security advisory will be published on GitHub.
• The fix will be noted in CHANGELOG.md.
• Credit will be given to the reporter unless they prefer to remain anonymous.