fable-session is an unofficial tool and is not affiliated with Anthropic. Do not report issues in Anthropic products here, and do not report fable-session issues to Anthropic.
The only supported reporting channel is GitHub
private vulnerability reporting on the official repository,
https://github.com/getaskclaw/fable-session — the "Report a
vulnerability" button under the repository's Security tab. That
channel keeps a report private between you and the maintainers until a
fix is available.
If the "Report a vulnerability" button is not visible to you there, the channel has not (yet) been switched on by the maintainers or the repository is not (yet) accessible to you; in that case please wait and try again later rather than reporting anywhere else.
Please do not open a public issue for a security problem, and do not include real credentials, private transcripts, or personal data in a report — synthetic reproductions are enough.
There is no other reporting channel; this project deliberately publishes no security contact address.
Reports are welcome for anything that breaks this tool's documented guarantees, for example:
- prompt/task content leaking into manifests, watchdog state, or audit output (these must carry only hashes, sizes, and structural metadata);
- the runner emitting forbidden flags (
--fallback-model,--continue,--resume,--dangerously-skip-permissions) or an unpinned model; - symlink/path-traversal escapes past the state layer's
O_NOFOLLOWhardening, or non-atomic manifest/state writes; - the watchdog or audit claiming completion, purity, or interruption that the structured evidence does not prove.
Out of scope: anything that requires acting as the same UID as the tool's own user (a documented limitation), and any request to make the tool bypass, weaken, or evade safety safeguards — that is not a supported use case and will not be fixed "as a feature".
Only the latest release line — 0.3.x, currently the 0.3.0b1 public beta — receives security fixes.