If you discover a security vulnerability in this repository, please report it privately rather than opening a public issue.

1. GitHub Private Vulnerability Reporting: Go to the Security tab of this repository and click Report a vulnerability.
2. Email: Send details to the maintainers via the contact information on orcaqubits-ai.com.

• Description of the vulnerability
• Steps to reproduce
• Which plugin(s) are affected
• Potential impact (e.g., credential exposure, code injection)

• Acknowledgement within 72 hours
• Status update within 7 days
• Fix or mitigation as soon as possible, depending on severity

This policy covers:

• Hook scripts (hooks/scripts/*.py) — secret detection and CLI protection logic
• Skill definitions (skills/*/SKILL.md) — instructions that guide code generation
• Agent definitions (agents/*.md) — instructions that guide subagent behavior
• Plugin metadata (.claude-plugin/plugin.json, marketplace.json)

Since these plugins generate code via Claude Code rather than executing application logic directly, the primary risk vectors are:

• Hook scripts that fail to detect hardcoded secrets
• Skill or agent instructions that could lead to insecure generated code
• Plugin metadata that could be manipulated in a supply chain attack

• Vulnerabilities in Claude Code itself (report to Anthropic)
• Vulnerabilities in the underlying protocols (UCP, ACP, AP2, A2A, WebMCP) — report to their respective maintainers
• Vulnerabilities in commerce platforms (Magento, BigCommerce, WooCommerce) — report to their respective security teams