This document outlines the security policy for the Switch Dimension Skills repository.
Only skills in the main branch or tagged releases of this repository (switch-dimension/switch-dimension-skills) are supported and approved for use within the organization. main is the latest approved skill set; tagged releases are stable snapshots for reproducibility and rollback.
| Version / Source | Supported |
|---|---|
main branch (latest) |
✅ Approved |
| Tagged releases | ✅ Approved |
| Third-party skill repos | ❌ Not approved without PR review |
| Local modifications | ❌ Not supported |
Tagged releases follow Semantic Versioning. Breaking skill changes, removals, renames, or policy changes require a major release. New skills and backward-compatible capability additions use minor releases. Documentation, CI, security scanning, typo fixes, and small corrections use patch releases.
To maintain security and consistency across the organization:
- Only install skills from this repository. Use:
npx skills add switch-dimension/switch-dimension-skills- Do not install skills directly from external repositories. If a third-party skill is needed:
- Import it with
npm run skills:propose -- skill-nameornpm run skills:propose -- owner/skill-repo --skill skill-name - Review the Pull Request opened by the CLI
- The skill must pass security review before merging
- Once merged, install from this repo
- Verify the source after installation by checking
skills-lock.json:
- The
sourcefield should beswitch-dimension/switch-dimension-skills - The
sourceTypeshould begithub
- Pin to specific commits when possible to ensure reproducibility.
If you discover a security vulnerability in any skill or repository configuration:
- Open a public issue on GitHub
- Discuss the vulnerability in public channels
- Submit a PR that exposes the vulnerability details
- Email security concerns to: security@switchdimension.com
- Include:
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact assessment
- Any suggested remediation
| Severity | Acknowledgment | Initial Assessment | Resolution Target |
|---|---|---|---|
| Critical | 24 hours | 48 hours | 7 days |
| High | 48 hours | 72 hours | 14 days |
| Medium | 72 hours | 1 week | 30 days |
| Low | 1 week | 2 weeks | 90 days |
- Report received and acknowledged
- Initial assessment and severity classification
- Investigation and fix development
- Fix tested and validated
- Security advisory published (if appropriate)
- Reporter credited (with permission)
All changes to this repository undergo automated security scanning:
- Secret Detection: TruffleHog scans for committed credentials
- Static Analysis: Semgrep checks for dangerous code patterns
- Skill Validation: Custom linting validates SKILL.md format and content
- Dependency Review: Automated checks for vulnerable dependencies
When contributing new skills, ensure:
- No Secrets: Never commit API keys, passwords, tokens, or credentials
- No Remote Execution: Avoid patterns like
curl | shoreval() - No Hardcoded Paths: Use relative paths within the workspace
- No Unauthorized Network Calls: Minimize external network requests
- Input Validation: Sanitize any user input in scripts
- Least Privilege: Skills should do only what they claim
In the event of a security incident:
- The skill or configuration will be immediately reviewed
- If confirmed, the affected skill will be removed or patched
- A security advisory will be issued to all users
- Post-incident review will inform policy updates
- Security inquiries: security@switchdimension.com
- Repository owner: @robshox
- General questions: Open an issue (for non-security topics)