great_cto is a Claude Code plugin that operates on your repository through file writes, git commits, and shell commands via Claude Code's tool framework. Security issues in the plugin can lead to unwanted modifications of user code, exposure of secrets through agent context, or privilege escalation via prompt injection.

Only the latest minor release line receives security fixes. great_cto versioning tracks a single-track v1.0.x series at present — when v1.1.0 ships, the v1.0.x line enters a 30-day end-of-life window.

Check your installed version: grep version .claude/plugins/cache/local/great_cto/*/\.claude-plugin/plugin.json

Preferred channel: open a private security advisory on GitHub. Do not open a public issue for vulnerabilities.

• Affected component (agents/<name>.md, commands/<name>.md, skills/…, packages/cli/…, or plugin hooks in .claude-plugin/plugin.json)
• Affected versions (or main branch commit SHA)
• Reproduction steps — ideally a minimal repository or a scripted fixture
• Observed impact — what the attacker can achieve (file write, secret exfiltration, command execution, agent privilege escalation)

If you do not receive an acknowledgement within 72 hours, resend with [URGENT] in the subject.

Please allow a reasonable embargo window (default 30 days after fix is merged) before public disclosure. Credit will be given in CHANGELOG.md unless you request anonymity.

great_cto is opinionated infrastructure that runs Claude Code agents on your code. The following are out of scope for this policy — they are properties of Claude Code itself or the underlying LLM, not of great_cto:

• Prompt injection attacks against Claude (use Claude Code's built-in safeguards — PreToolUse hooks, permission prompts)
• LLM hallucinations producing incorrect code or ADRs
• Anthropic API availability or rate limits
• The safety of third-party dependencies listed in .claude-plugin/plugin.json (superpowers, beads)

great_cto does include defence-in-depth hooks for the most common risks:

• PreToolUse.Bash hook blocks rm -rf /, git push --force, DROP TABLE, and similar destructive patterns before they reach the shell
• PermissionDenied hook logs all denied tool calls to .great_cto/permission-denied.log for forensics
• Agents declare narrow tools: frontmatter — e.g. qa-engineer has no Write access

If you find a way to bypass these hooks, that is in scope. Report it.

When assessing a finding, note which layer it applies to:

1. Plugin hooks (.claude-plugin/plugin.json) — run unconditionally on session events. Highest blast radius.
2. Agent frontmatter (agents/*.md) — controls which tools each agent can use. Over-broad tools: is a misconfiguration bug.
3. Command skills (commands/*.md) — shell commands embedded in markdown. Shell-injection through argument expansion is possible if $1 is not quoted.
4. CLI installer (packages/cli/) — pure Node, no network calls during init except npm resolution. Runs with user's permissions.

Security-relevant releases are marked with a 🛡 emoji in CHANGELOG.md and cross-referenced here:

No security advisories published yet. This section is updated on first published advisory.