Please do NOT open public issues for security vulnerabilities.

Report vulnerabilities via GitHub Security Advisories.

You will receive an acknowledgment within 48 hours and a detailed response within 5 business days indicating next steps.

CodeBuddy implements the following security measures:

• All API keys and credentials stored via VS Code secretStorage API (OS-level encryption)
• Secrets never logged or included in telemetry
• Per-skill secret isolation with scoped key naming

• Shell argument escaping for POSIX, cmd.exe, and PowerShell (shell-escape.ts)
• Binary name validation (isSafeCommandName)
• Command length limits enforced
• Terminal isolation via VS Code Terminal API (env vars not leaked to parent shell)

• Blocklist prevents injection of dangerous variables: LD_PRELOAD, LD_LIBRARY_PATH, DYLD_INSERT_LIBRARIES, PATH, HOME, SHELL, TMPDIR, IFS, SSH_AUTH_SOCK, etc.
• Skills receive only their declared environment variables

• TypeScript strict mode
• ESLint with @typescript-eslint/recommended
• Datadog SAST ruleset (JavaScript security, Node.js security, browser security)

• Dependabot enabled for automated vulnerability scanning (npm + GitHub Actions)
• npm audit integrated into CI pipeline
• Dependencies pinned via package-lock.json with npm ci for reproducible builds

• Configurable auto-approve, file edit, and terminal execution permissions
• User consent required for destructive operations
• Skill permission model with minimal-privilege defaults