Security fixes are provided for the latest development branch and the most recent tagged release line only.
Do not file public GitHub issues for security vulnerabilities.
Please report vulnerabilities privately using one of the following channels:
- If the public repository has GitHub Security Advisories enabled, open a private advisory there.
- Email:
iamzhihuix@gmail.com
Please include:
- A description of the issue
- Steps to reproduce or a proof of concept
- Impact and affected workflows
- Any suggested mitigation or patch
Initial acknowledgment target: 7 days
Patch or mitigation target after confirmation: 30 days
skills-manageis a local-first desktop app. It stores collections, scan results, app settings, and cached AI explanations in~/.skillsmanage/db.sqlite.- Managed skill files remain in the directories you configure for each platform.
- If you configure a GitHub Personal Access Token or AI API key, it is stored locally in the app database so the app can reuse it later.
- Those locally stored credentials are not encrypted at rest by the application. Protect your operating-system account appropriately and prefer low-scope tokens.
- The app does not include analytics, crash reporting, or usage tracking.
- The app only makes outbound network requests when you explicitly use networked features such as marketplace sync/download, GitHub repository import, or AI explanation generation.
- AI explanation generation sends the selected skill content and prompt to the provider you configured in Settings.
When filing issues or pull requests, always redact:
- API keys, access tokens, refresh tokens, and passwords
- Private keys and credential files
- JWTs or other tokens containing personally identifying information
Use placeholders such as <REDACTED> or ghp_...REDACTED....