If you discover a security vulnerability in Gemini-Kit, please report it responsibly:

1. DO NOT create a public GitHub issue for security vulnerabilities
2. Email: Create a private security advisory
3. Or contact via GitHub Discussions (private message)

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

Gemini-Kit includes built-in security protections:

The before-tool hook automatically detects and blocks:

• AWS Access Keys & Secrets
• GitHub/GitLab Tokens
• OpenAI/Anthropic API Keys
• Private Keys (RSA, SSH, PEM)
• Database Connection Strings
• JWT Secrets

Dangerous commands are blocked:

• rm -rf /
• Fork bombs
• Pipe to shell (curl | sh)

All file operations validate paths using validatePath() to prevent:

• Directory traversal attacks (../)
• Access to sensitive system files

Before making changes:

• kit_create_checkpoint - Creates git checkpoint
• kit_restore_checkpoint - Rollback if needed

• /code-preview - Preview changes before applying

1. Review changes before accepting AI-generated code
2. Use checkpoints before large operations
3. Don't store secrets in your codebase
4. Review diffs before committing

1. Run npm test before submitting PRs
2. Run npm run lint to check code quality
3. Add tests for security-sensitive features
4. Follow secure coding practices

We thank the security researchers who help keep Gemini-Kit safe.