If you discover a security vulnerability in clawkit, please report it privately.

Do not open a public issue. Instead, email the maintainer directly or use GitHub's private vulnerability reporting feature.

• Description of the vulnerability
• Steps to reproduce
• Affected version(s)
• Potential impact
• Any suggested fix (if available)

You can expect an acknowledgement within 48 hours, and a detailed response within 7 days. We'll keep you informed of progress toward a fix.

• Zero dependencies — reduces supply-chain risk.
• No network calls — clawkit operates entirely locally.
• No telemetry — no data is sent anywhere.
• SARIF output — the secrets scanner supports standard SARIF format for CI/CD integration.