| Version | Supported |
|---|---|
| main branch | ✅ Yes |
CKIS is a knowledge management template system. Security concerns are most likely to arise from:
- Scripts that run with shell access —
.brain/scripts/,.claude/scripts/, crontab entries - Hooks that fire automatically — Claude Code hooks in
settings.json - Cron jobs using
claude -p— headless Claude sessions
To report a security issue:
- Do NOT open a public GitHub issue for security vulnerabilities.
- Contact the maintainer via GitHub Discussions (private) or email via the GitHub profile.
- Include: description of the vulnerability, steps to reproduce, potential impact.
You will receive a response within 72 hours.
- No secrets in the vault — The vault must never contain
.envfiles, API keys, OAuth tokens, or credentials. The.gitignoreis pre-configured to block common secret files. - Cron scripts use
source ~/.claude/.env— API keys for headless Claude are stored in a chmod 600 file outside the vault. - MCP tokens — If using
.mcp.json, it is listed in.gitignoreand must never be committed. - No eval from untrusted sources — No scripts in this template execute code from URLs.
Hooks in settings.json run shell commands automatically. Before enabling any hook:
- Review the script it calls
- Ensure the script path is not world-writable
- Test in a non-production vault first