security-issue-triagelisted

<!-- Placeholder convention (see AGENTS.md#placeholder-convention-used-in-skill-files): <project-config> → adopting project's `.apache-steward/` directory <tracker> → value of `tracker_repo:` in <project-config>/project.md (example: airflow-s/airflow-s for the Apache Airflow security team) <upstream> → value of `upstream_repo:` in <project-config>/project.md (example: apache/airflow) <security-list> → value of `security_list:` in <project-config>/project.md Before running any bash command below, substitute these with the concrete values from the adopting project's <project-config>/project.md. --> # security-issue-triage This skill is the **initial-triage discussion-starter** for security tracker issues. For each [`<tracker>`](https://github.com/<tracker>) issue carrying the `needs triage` label, it reads the body + comments, applies the project's Security Model framing, classifies the candidate disposition, and — on the user's explicit confirmation — posts a triage-proposal comment that invites the security team to react. The skill **never flips `needs triage` to a scope label**, **never closes**, **never allocates a CVE**, **never edits the body**. The valid / invalid decision belongs to team consensus; this skill opens the discussion that produces it, and the sibling skills below apply the state change once consensus lands. It composes with: - [`security-issue-import`](../security