This project is a starter kit and does not process production data by itself, but security-sensitive issues can still appear in scripts, templates, examples, or documentation.

If the repository has GitHub private vulnerability reporting enabled, use that channel. Otherwise, open a minimal public issue that asks for a private contact without including exploit details, secrets, or sensitive target repository data.

Please include:

• affected file or workflow
• impact
• reproduction steps, if safe to share privately
• suggested mitigation, if known

Security reports may cover unsafe file operations, secret leakage risks, dangerous CI guidance, dependency confusion in examples, or instructions that could cause agents to expose credentials or modify sensitive files.