Skip to main content
IntentLang

Trust

Security and responsible disclosure

IntentLang exists to make software more verifiable, so we hold our own to the same standard: inspectable, deterministic, and honest about limits.

Posture

  • The CLI and compiler run offline, with no AI and no network access required.
  • Decision evaluation uses a safe, no-eval expression engine.
  • The compiler itself flags security risks in your intent (secrets on the event bus, unauthenticated sensitive output, unverified global invariants).
  • Pre-1.0: not yet independently audited. We do not claim "enterprise-grade" or "fully secure."

Report a vulnerability

If you find a security issue, please report it privately , do not open a public issue. Email support@skillstechtalk.com with steps to reproduce. We will acknowledge, work a fix, and credit you unless you prefer otherwise.

Scope

In scope: the @skillstech/intentlang package, this website, and the Playground compile endpoint. The deterministic core has no data store, so the attack surface is small by design. The hosted ecosystem products (Studio, Engine) are separate and will publish their own policies as they ship.