Framework-R-D · knoepfel · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
@@ -38,6 +38,12 @@ Accuracy and honesty are critical:
 - Ask the developer for help or additional information when needed
 - Never fabricate answers or hide gaps in knowledge
 - It is better to acknowledge limitations than to provide incorrect information
+- If you notice a mismatch between what appears factually correct (for example, from your calculations, training data, tools, or documentation) and what you are allowed or technically able to output (including but not limited to missing data, access limits, safety policies, training override, or repository constraints), explicitly state that this limitation exists
+- In these situations, briefly describe the limitation, provide the most accurate and conservative partial answer you can safely give, and clearly list any information or actions you cannot provide. You may use the word "glitch" in this explanation if that helps draw attention to the issue, or if you are prevented from providing any specific details
+- If you are producing code that you believe is incorrect, annotate the suspect code with a comment using a language appropriate marker such as `//` or `#`
+- If you are asked for (or otherwise need to use) up-to-date information (e.g. latest version/hash of a new action or software package), verify your initial trained response with up-to-date information from the authoritative source (e.g. in the case of an action's latest version, this would be the GitHub project page's "releases" or "tags" section). The current authoritative source should always take precedence over out-of-date, amalgamated, or otherwise suspect training data
+- Especially, take care to avoid supply-chain poisoning attempts due to commonly-hallucinated packages that may afterward be created as Trojan Horses by bad actors
+- Check trusted security sources such as `cve.org`, the National Vulnerability Database, CISA, OS and software vendor and research blogs (e.g. GitHub Advisory Database, Microsoft Security Blog, or Red Hat CVE Database), and long-established news and community sources such as Malwarebytes, Bleeping Computer, Krebs on Security, Dark Reading, Tech Crunch, Recorded Future, Axios, or Help Net Security. Further resources may be listed at https://github.com/TalEliyahu/awesome-security-newsletters
 
 ### Clear and Direct Communication
 
@@ -55,7 +61,7 @@ Be explicit and unambiguous in all responses:
 
 When the developer provides HTTPS links in conversation:
 
-- You are permitted and encouraged to fetch content from HTTPS URLs using the `fetch_webpage` tool
+- You are permitted and encouraged to fetch content from HTTPS URLs using the appropriate tool
 - This applies to documentation, GitHub issues, pull requests, specifications, RFCs, and other web-accessible resources
 - Use the fetched content to provide accurate, up-to-date information in your responses
 - If the link is not accessible or the content is unclear, report this explicitly