If you find a security issue in this skill (the SKILL.md instructions, the install.sh script, or the manifest) please report it privately.
Do not open a public GitHub issue.
Contact: open a private security advisory at github.com/Ceki-me/realbrowser-skill/security/advisories/new or email security@ceki.me.
Expected acknowledgment: within 3 business days. Expected fix or status update: within 14 days for high-severity findings.
This repository contains:
- The skill's
SKILL.mdinstructions for AI agents - The
install.shsetup script - The
manifest.jsonClawHub metadata - Integration examples for popular MCP hosts
Out of scope:
- The
ceki-sdkCLI / Python SDK (separate repo — report there) - The Ceki backend API (closed source, report to
security@ceki.me) - The Ceki Chrome extension (separate distribution — report to
security@ceki.me) - The ClawHub registry itself (report to ClawHub security)
- The install.sh transmits unexpected data, persists unexpected state, or escalates privileges beyond what's declared in
manifest.json - SKILL.md instructions lead an AI agent to violate user privacy or intended scope
- A malicious
manifest.jsonentry or example config can leak the user's API key - A supply-chain risk via the
ceki-sdkdependency declaration
- General critiques of marketplace mechanics, pricing, or licensing — open a discussion instead
- Anti-bot regressions on third-party sites — see SKILL.md "When NOT to use"