Report security issues privately via GitHub's "Report a vulnerability" link on the Security tab.

I aim to acknowledge within 7 days. Coordinated disclosure preferred.

This extension is sideloaded locally and never published to the Marketplace. It runs in the VS Code markdown preview webview and has no network access, no command registration that takes user input, and no file writes outside its own folder.