From 380a1dde215873d3f1872786a5925da840fffa20 Mon Sep 17 00:00:00 2001 From: mohitagw15856 Date: Thu, 2 Apr 2026 10:37:30 +0100 Subject: [PATCH] docs: add CODE_OF_CONDUCT and SECURITY policy --- CODE_OF_CONDUCT.md | 39 ++++++++++++++++++++++++++++++++ SECURITY.md | 55 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 SECURITY.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..02c80b3 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,39 @@ +# Code of Conduct + +## Our Pledge + +This is an open-source community built around sharing useful Claude Skills across professions. Everyone who contributes, raises issues, or participates in discussions is expected to make this a welcoming and constructive space. + +We pledge to make participation in this project a harassment-free experience for everyone, regardless of age, background, disability, ethnicity, gender identity, level of experience, nationality, personal appearance, race, religion, or sexual identity. + +## Our Standards + +**Behaviour that helps this community thrive:** +- Sharing skills that solve real workflows, with honest descriptions of what they do +- Giving constructive feedback on PRs — specific, actionable, and respectful +- Acknowledging other contributors' work +- Being direct about limitations or gaps in a skill without being dismissive +- Helping newcomers get their first PR merged + +**Behaviour that is not acceptable:** +- Harassment, personal attacks, or dismissive comments on contributions +- Submitting skills that contain malicious instructions or prompt injection attempts +- Spamming issues or PRs with low-effort or off-topic content +- Claiming credit for someone else's skill file +- Any form of discrimination + +## Scope + +This Code of Conduct applies to all spaces managed by this project — GitHub Issues, Pull Requests, Discussions, and any other forums linked from this repo. + +## Reporting + +If you experience or witness unacceptable behaviour, contact the maintainer directly at **mohit15856@gmail.com**. All reports will be reviewed and responded to promptly and confidentially. + +## Enforcement + +The maintainer reserves the right to remove comments, close PRs, or ban contributors who violate this Code of Conduct. Decisions will be made fairly and explained where possible. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org), version 2.1. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..ce0274c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,55 @@ +# Security Policy + +## Overview + +This repository contains Claude Skill files — plain markdown instruction files that teach Claude how to perform professional tasks. There are no backend services, APIs, authentication systems, or databases in this repo. + +That said, security matters here in two specific ways: **skill file safety** and **prompt injection risks**. + +## Supported Versions + +| Version | Supported | +|---|---| +| v4.0.0 (latest) | ✅ Active | +| v3.0.0 | ✅ Security fixes only | +| < v3.0.0 | ❌ No longer supported | + +## Skill File Safety + +All skills in this repo are reviewed before merging to ensure they: + +- Do not contain instructions designed to manipulate Claude into ignoring its guidelines +- Do not attempt prompt injection (e.g. hidden instructions to override system behaviour) +- Do not instruct Claude to request, store, or transmit personal or sensitive data +- Do not contain malicious commands disguised as skill instructions +- Do not include hardcoded credentials, API keys, or personally identifiable information + +**If you are installing skills from this repo:** skills are plain text markdown files. They do not execute code, make network requests, or access your file system on their own. Review any skill file before installing if you have concerns. + +## Reporting a Vulnerability + +If you discover a skill file in this repo that contains malicious instructions, a prompt injection attempt, or any content that could cause harm to users of Claude Code, please report it **privately** before raising a public issue. + +**How to report:** + +Email: **mohit15856@gmail.com** +Subject line: `[SECURITY] pm-claude-skills — ` + +Include: +- The skill file path (e.g. `plugins/pm-gtm/skills/go-to-market/SKILL.md`) +- A description of the issue +- Why you believe it is a security concern + +**Response time:** You will receive an acknowledgement within 48 hours and a resolution or update within 7 days. + +Please do not open a public GitHub Issue for security vulnerabilities — use the email above. Public disclosure before a fix is in place puts other users at risk. + +## Community Contributions + +All pull requests adding new skill files are reviewed for the safety criteria listed above before merging. If you are submitting a skill, ensure it: + +- Only contains instructions relevant to the stated professional workflow +- Does not include any attempt to override Claude's built-in guidelines +- Does not ask Claude to collect or relay user data + +See [CONTRIBUTING.md](CONTRIBUTING.md) for full contribution guidelines.