Skill packages contain code-generation guidance, not executable code. The primary security concern is : skill guidance that leads Claude to generate insecure code.

• For skill-content issues (e.g. anti-pattern that allows SQL injection in generated code) : open a GitHub issue with security label
• For sensitive issues : email {{SECURITY_EMAIL}} with subject "SECURITY : Rust-Claude-Skill-Package"
• For supply-chain issues (compromised dependencies in package.json) : open a GitHub Security Advisory via the repo's Security tab

• Acknowledgement : within 5 business days
• Fix or mitigation : within 30 days for high-severity, 90 days for lower-severity

• Vulnerabilities in Rust itself : report to upstream
• Claude model behavior : report to Anthropic
• General LLM-prompt-injection in user input : application-side concern

Once fixed, the vulnerability is disclosed in CHANGELOG.md and the GitHub Security Advisory is published.