Skip to content

Security: abdalrahman-ahmed/agentflow-template

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
1.x ✅ Yes

Reporting a Vulnerability

If you discover a security vulnerability in AgentFlow, please do not open a public GitHub issue.

Instead, please report it privately via one of the following channels:

What to Include

Please include the following in your report:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant file paths or code snippets
  • Your recommended fix (optional)

Response Timeline

  • Acknowledgement: Within 48 hours
  • Assessment: Within 5 business days
  • Fix / Patch Release: Based on severity — Critical: 72 hours, High: 7 days, Medium/Low: next release

Scope

This skill operates strictly within the user's local workspace. It:

  • Does not make outbound network requests (except via agy CLI which is explicitly controlled by the user)
  • Does not read or write files outside the current workspace directory
  • Does not store credentials, API keys, or secrets in state files
  • Does not execute arbitrary user-supplied shell code — only pre-defined validation commands based on project tech stack

Security Design Principles

  1. Least Privilege: The skill only accesses files within .agents/ and the workspace root
  2. Audit Trail: Every execution persists a state file under .agents/skills/agentflow/state/ for traceability
  3. No Credential Storage: sessions.json stores only server address references, never tokens or passwords
  4. Explicit Scope Boundaries: The skill cannot be invoked without the explicit /agentflow prefix
  5. Self-Correction Limits: Auto-correction is capped at 3 attempts to prevent runaway execution

Dependencies

This skill has zero runtime dependencies beyond Node.js built-ins (fs, path, child_process, crypto, os). The agy and agentapi binaries are provided by the Antigravity IDE environment and are not bundled in this repository.

There aren't any published security advisories