Please report security issues privately — do not open a public issue.
Email security@techhorizonlabs.com with a description, reproduction steps, and the affected file(s). We aim to acknowledge within a few business days.
This repo is Claude Code skills (markdown that instructs an agent) plus one small Node tool. There's no server and no bundled binary, but skills do direct an agent to run shell commands and fetch the open web. Two things follow:
- Read a skill before you install it. A skill can run code on your machine through
the agent. These are short and auditable — read
SKILL.mdand anyscripts/. - Fetched web content is data, not instructions. Our crawler / brand-mention skills pull public pages. A page could contain text crafted to look like instructions (prompt injection). The skills are written to treat fetched content as data to analyse, never as commands to follow — and we ask contributions to hold the same line (see the security rule in the Skill-Authoring Standard).
- No telemetry. Nothing here phones home. There is no analytics POST, no install
beacon, no usage tracking. (This is a deliberate choice — see
docs/HOW-WE-COMPARE.md.) - No login / no gating. Every skill runs on your own Claude Code session model. The
validator (
scripts/validate.sh§5) enforces that no login-gating ships. - No secrets in the repo. The validator leak-checks for client names and secret shapes before anything ships.