Repositories, archives, configuration files, skill sidecars, and generated output are untrusted data. The core parser does not execute source content, resolve environment variables, start MCP servers, install dependencies, or contact the network.

• Dry-run is the default.
• Writes are repository-local and validated before execution.
• User-authored files require exact-path approval.
• Raw secrets are excluded from portable models, diagnostics, output, audits, and packages.
• Archive members are inspected before extraction. Traversal, absolute paths, links, duplicate destinations, special files, excessive sizes, and suspicious compression ratios are rejected.
• Wrappers validate variable presence without printing values or loading implicit user files.
• Global configuration, registry, profiles, and home directories are never mutated by core commands.

Report suspected secret exposure or unsafe archive behavior privately to the maintainers before publishing details.