Praxen is a security tool. We take vulnerabilities in Praxen itself seriously. This document describes how to report one privately, what is in scope, and what to expect after you report.
Praxen runs as a skill inside your coding agent (Claude Code, OpenAI Codex, or similar) — not as a standalone, sandboxed service. Two properties are worth stating plainly before you run it:
./reports/ directory. It does not act on the agent’s behalf and does not modify the agent’s code, skill files, configuration, or dependencies. But this is a behavioral contract of the skill’s instructions, not a technical sandbox — Praxen runs with the coding agent’s ordinary tool access (including Bash and Write), so the read-only posture is enforced by convention rather than by an isolation boundary. (This is the same declared-versus-enforced distinction Praxen itself flags when it scans other agents.) Run Praxen only where you already trust the coding agent to operate../reports/ (HTML, JSON, text). Nothing phones home.For guidance on interpreting Praxen’s output — a model-assisted expert review rather than a deterministic gate — see Working with Praxen.
In scope — vulnerabilities in Praxen itself:
behavior-verifier skill (the prompt and step graph in skills/behavior-verifier/SKILL.md).skills/behavior-verifier/render.py) and report template (report_template.html).skills/behavior-verifier/schema.py, findings.schema.json)..claude-plugin/plugin.json, marketplace.json).build.sh) and release (.github/workflows/release.yml) pipelines, and the published praxen-X.Y.Z.zip artifacts.Examples of in-scope issues: an injection in a finding’s evidence.snippet that escapes the HTML escaper and executes script in the rendered report; a path-traversal in render.py that lets a crafted findings JSON write outside the output directory; a tampered release artifact.
Out of scope — findings about the agents Praxen analyses. If you run Praxen against an AI agent and Praxen reports a finding against that agent, that is normal output of the tool, not a vulnerability in Praxen. Please report those to the agent’s own maintainer, not here.
Do not file a public GitHub issue for a security vulnerability. Public issues are indexed and broadcast immediately; that is the wrong channel for an unpatched defect.
Use GitHub’s private security advisory:
GitHub will create a private advisory thread between you and the project maintainers. We will respond there.
If GitHub Security Advisories are unavailable to you for any reason, email developer@exabeam.com with the subject line Praxen security report and the same level of detail.
If you do not hear back from us within the windows above, please nudge the thread or escalate via the email address above.
Security fixes ship in the latest released 0.x line. Praxen is pre-1.0 and there is no LTS branch; please upgrade to the latest tagged release before reporting.
| Version | Receiving security fixes |
|---|---|
| Latest tagged release | ✓ Yes — always upgrade to the newest release before reporting |
| Anything older than the latest release | No — no back-porting while pre-1.0; no LTS branch yet |
0.6.x and earlier (under the former name Praxa, at Exabeam/deckard) |
No — superseded by the rename, not maintained |