If you discover a security issue in the NoJS Skill (e.g., a prompt injection vector in the skill content or references), please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please email contact@no-js.dev with:

• A description of the vulnerability
• Steps to reproduce the issue
• Any potential impact assessment

• Acknowledgment within 48 hours of your report
• Status update within 7 days with an assessment and expected timeline
• Fix and disclosure coordinated with you before any public announcement

The following are in scope:

• Prompt injection via skill content or reference files
• Incorrect security guidance in generated code patterns
• Sensitive information disclosure in skill metadata

• Vulnerabilities in the No.JS framework itself (report those to the framework repo)
• Issues in the AI tool consuming the skill (Claude Code, etc.)