Security reports are relevant for:

• credential handling in base_config.json and env fallback logic
• adapter authentication and message handling
• generated code and file-writing behavior in skill_writer
• dependencies that expose MacroAgent to remote input

Please do not open public issues for security-sensitive problems.

Report privately with:

• a short summary
• impact
• reproduction steps
• affected files or adapters
• suggested mitigation if available

If private contact details are not yet published for this repository, use the repository owner contact method and clearly label the report as a security issue.

• reports will be triaged before public disclosure
• sensitive reproduction details should stay private until a fix is ready
• fixes should include regression tests when practical