Do not open a public GitHub issue for security concerns.
If you discover a vulnerability in maxvision:
- Email producoes.maxvision@gmail.com with subject
[SECURITY] maxvision: <short description>. - Include:
- A description of the vulnerability
- Steps to reproduce (if possible)
- The version of the plugin (
.claude-plugin/plugin.jsonversionfield) and the commit sha you tested against - Any proposed fix or mitigation
We aim to acknowledge reports within 5 business days and to release a fix within 30 days for confirmed high/critical issues.
This plugin orchestrates third-party skill installation. The primary risks are:
| Risk | Mitigation |
|---|---|
Malicious upstream skill cloned into ~/.claude/skills/ |
Single confirmation per install; tier_4 entries always show warning text; only public, license-checked sources in the catalog |
| Compromised marketplace plugin | Plugin install commands are interactive (/plugin install requires user confirmation in Claude Code's UI) — no programmatic install |
Stale .maxvision-source.json claiming false provenance |
check-version always re-fetches upstream sha when cache is stale or --force-check passed |
Cache poisoning of ~/.claude/cache/maxvision/version-check.json |
Cache is read/write by the user account that owns Claude Code; if the user account is compromised, this plugin is not the weakest link |
Unauthenticated gh api rate limiting |
Plugin requires gh auth login and surfaces the 60/h vs 5,000/h difference clearly |
| Force-push or destructive git operation | Plugin only uses git pull --ff-only and sparse-checkout; never force-pushes or resets |
- Vulnerabilities in third-party skills installed via the catalog. Report those to the respective upstream repos.
- General Claude Code platform vulnerabilities. Report to github.com/anthropics/claude-code.
- Vulnerabilities in
ghCLI,git,jq, ornpx. Report to upstream maintainers.
Confirmed vulnerabilities will be disclosed in CHANGELOG.md after a fix is released, with credit to the reporter (unless the reporter requests otherwise).