Merge branch 'pr-38' into 0.0.3-draft

skills/polymarket-browse/SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Security Audit (2026-03-25)
+
+This document tracks security issues found during the 2026-03-25 audit.
+
+## Fixed Issues
+
+| Issue | Severity | Fixed Date | Fix |
+|-------|----------|------------|-----|
+| Telegram bot token in process command line | CRITICAL | 2026-03-25 | Switched to Python urlopen from curl subprocess |
+| HTML injection in Telegram messages | HIGH | 2026-03-25 | Added escape_html() function |
+| Insufficient --search URL encoding | MEDIUM | 2026-03-26 | Use urllib.parse.quote() |
+| --detail bounds not validated | MEDIUM | 2026-03-26 | Error on out of range |
+| No response size limits | MEDIUM | 2026-03-26 | MAX_RESPONSE_SIZE check |
+| Bare except: clauses | LOW | 2026-03-26 | Catch specific exceptions |
+| No API rate limiting | LOW | 2026-03-26 | TokenBucket rate limiter |
+
+## Open Issues
+
+All security issues from this audit have been addressed in subsequent releases.
+
+## Reporting Security Issues
+
+If you find a security vulnerability, please report it by opening an issue.