If you discover a security vulnerability in Schliff, please report it responsibly:
- Do not open a public issue
- Open a private security advisory on GitHub
- Include: description, reproduction steps, potential impact
We will acknowledge receipt within 48 hours and provide a fix timeline within 7 days.
Schliff processes skill files (SKILL.md) and eval suites (JSON). Security considerations:
- File size limits: Skill files are capped at 1 MB to prevent resource exhaustion
- Path traversal: Reference path resolution blocks
..sequences - Regex safety: Runtime evaluator uses timeout-protected regex matching
- No network access: All scoring is local — no data leaves your machine
- No code execution: Schliff reads and scores files, it does not execute skill content
| Version | Supported |
|---|---|
| 6.x | Yes (current) |
| 5.x | Security fixes only |
| < 5.0 | No |