| 1 |
finding_id |
title |
current_status |
current_paths |
validation_reason |
evidence |
| 2 |
1 |
Unsanitized frontmatter name enables path traversal in sync script |
obsolete/not reproducible on current HEAD |
tools/scripts/sync_microsoft_skills.py |
sync_microsoft_skills.py now sanitizes flat names and constrains delete/copy targets to safe in-repo paths. |
tools/scripts/tests/test_sync_microsoft_skills_security.py |
| 3 |
2 |
Stored XSS via rehype-raw rendering of skill markdown |
obsolete/not reproducible on current HEAD |
apps/web-app/src/pages/SkillDetail.tsx |
SkillDetail still renders markdown without rehype-raw; the reported stored-XSS path does not reproduce. |
apps/web-app/src/pages/SkillDetail.tsx |
| 4 |
3 |
Symlink-following copy leaks host files in setup_web |
obsolete/not reproducible on current HEAD |
tools/scripts/setup_web.js |
setup_web.js now uses lstatSync plus resolveSafeRealPath() and skips out-of-root symlinks. |
tools/scripts/tests/copy_security.test.js |
| 5 |
4 |
Insecure install guidance allows remote script execution |
obsolete/not reproducible on current HEAD |
skills/apify-actorization/SKILL.md |
The Apify skill no longer recommends pipe-to-shell installs or token-on-command-line login. |
skills/apify-actorization/SKILL.md |
| 6 |
5 |
setup_web.js now follows symlinks, enabling file exfiltration |
duplicate of another finding |
tools/scripts/setup_web.js |
Same root cause/fix area as finding 3. |
tools/scripts/setup_web.js |
| 7 |
6 |
Symlink traversal in web asset setup copies arbitrary files |
duplicate of another finding |
tools/scripts/setup_web.js |
Same root cause/fix area as finding 3. |
tools/scripts/setup_web.js |
| 8 |
7 |
Symlink file copying in .github/skills sync leaks host files |
obsolete/not reproducible on current HEAD |
tools/scripts/sync_microsoft_skills.py |
Microsoft sync now rejects unsafe symlink targets and only accepts safe regular files that stay within the cloned source root. |
tools/scripts/tests/test_sync_microsoft_skills_security.py |
| 9 |
8 |
Symlinked file copy in Microsoft skill sync can leak host data |
duplicate of another finding |
tools/scripts/sync_microsoft_skills.py |
Same root cause/fix area as finding 7. |
tools/scripts/sync_microsoft_skills.py |
| 10 |
9 |
Committed Python bytecode can hide malicious logic |
obsolete/not reproducible on current HEAD |
skills/ui-ux-pro-max/scripts/__pycache__ |
Tracked __pycache__ artifacts are absent on current main and repo hygiene tests fail if they reappear. |
tools/scripts/tests/repo_hygiene_security.test.js |
| 11 |
10 |
Symlinked SKILL.md can leak host files via index script |
obsolete/not reproducible on current HEAD |
tools/scripts/generate_index.py |
generate_index.py now ignores symlinked SKILL.md files during index generation. |
tools/scripts/tests/test_frontmatter_parsing_security.py |
| 12 |
11 |
Example loader trusts manifest paths, enabling file read |
obsolete/not reproducible on current HEAD |
docs/integrations/jetski-gemini-loader/loader.mjs |
The Jetski loader rejects symlinked skill directories/files and any resolved SKILL.md outside the configured skills root. |
tools/scripts/tests/jetski_gemini_loader.test.cjs |
| 13 |
12 |
TLS certificate verification disabled in new scrapers |
obsolete/not reproducible on current HEAD |
skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py |
TLS verification is enabled by default again; insecure behavior requires an explicit opt-out environment flag. |
skills/junta-leiloeiros/scripts/scraper/base_scraper.py |
| 14 |
13 |
Complete bundle omits valid skill categories |
obsolete/not reproducible on current HEAD |
tools/lib/skill-filter.js | tools/scripts/build-catalog.js | data/bundles.json |
The old helper-path omission still does not drive shipped bundle output; current bundles come from build-catalog.js. |
tools/scripts/build-catalog.js |
| 15 |
14 |
Malformed frontmatter delimiter breaks YAML parsing for skills |
obsolete/not reproducible on current HEAD |
skills/alpha-vantage/SKILL.md |
The malformed --- Unknown frontmatter regression is no longer present in alpha-vantage. |
tools/scripts/tests/repo_hygiene_security.test.js |
| 16 |
15 |
ws_listener writes sensitive events to predictable /tmp files |
obsolete/not reproducible on current HEAD |
skills/videodb/scripts/ws_listener.py |
ws_listener.py now defaults to a user-owned state directory and uses secure file creation. |
tools/scripts/tests/local_temp_safety.test.js |
| 17 |
16 |
Symlink traversal lets /skills/ serve arbitrary local files |
obsolete/not reproducible on current HEAD |
apps/web-app/refresh-skills-plugin.js |
refresh-skills-plugin.js resolves real paths under the skills root before serving /skills/*; the public Pages app no longer exposes the maintainer sync surface. |
apps/web-app/refresh-skills-plugin.js |
| 18 |
17 |
Sync Skills endpoint follows symlinks from downloaded archive |
duplicate of another finding |
apps/web-app/refresh-skills-plugin.js |
Same root cause/fix area as finding 16. |
apps/web-app/refresh-skills-plugin.js |
| 19 |
18 |
Validation crash if YAML frontmatter is not a mapping |
obsolete/not reproducible on current HEAD |
tools/scripts/validate_skills.py |
validate_skills.py now rejects non-mapping YAML frontmatter cleanly instead of crashing downstream validation. |
tools/scripts/tests/test_frontmatter_parsing_security.py |
| 20 |
19 |
Anonymous Supabase writes allow skill star tampering |
obsolete/not reproducible on current HEAD |
apps/web-app/src/hooks/useSkillStars.ts | apps/web-app/src/lib/supabase.ts |
useSkillStars now stores saves locally in the browser and no longer performs shared frontend writes through the public Supabase client. |
apps/web-app/src/hooks/useSkillStars.ts |
| 21 |
20 |
Metadata fixer overwrites symlinked SKILL.md targets |
obsolete/not reproducible on current HEAD |
tools/scripts/fix_skills_metadata.py |
fix_skills_metadata.py now skips symlinked SKILL.md files and non-mapping frontmatter. |
tools/scripts/fix_skills_metadata.py |
| 22 |
21 |
Installer now dereferences symlinks during copy |
obsolete/not reproducible on current HEAD |
tools/bin/install.js |
install.js now uses lstatSync plus resolveSafeRealPath() and skips symlinks that resolve outside the cloned repo root. |
tools/scripts/tests/copy_security.test.js |
| 23 |
22 |
Installer merge path dereferences symlinks when copying |
duplicate of another finding |
tools/bin/install.js |
Same root cause/fix area as finding 21. |
tools/bin/install.js |
| 24 |
23 |
Cleanup sync deletes arbitrary paths via flat_name |
duplicate of another finding |
tools/scripts/sync_microsoft_skills.py |
Same root cause/fix area as finding 1. |
tools/scripts/sync_microsoft_skills.py |
| 25 |
24 |
Audio transcription example allows Python code injection |
obsolete/not reproducible on current HEAD |
skills/audio-transcriber/examples/basic-transcription.sh |
The audio transcription example now uses a quoted heredoc and passes values via environment variables. |
skills/audio-transcriber/examples/basic-transcription.sh |
| 26 |
25 |
Unbounded recursive skill traversal can crash catalog build |
obsolete/not reproducible on current HEAD |
tools/lib/skill-utils.js | tools/scripts/build-catalog.js |
The claimed recursive symlink traversal in catalog discovery still does not reproduce on current code paths. |
tools/lib/skill-utils.js |
| 27 |
26 |
Release scripts still use root skills_index.json path |
obsolete/not reproducible on current HEAD |
tools/scripts/update_readme.py | tools/scripts/generate_index.py | tools/scripts/release_workflow.js |
Root skills_index.json remains the canonical generated index, so the reported release-script path mismatch does not reproduce. |
tools/scripts/release_workflow.js |
| 28 |
27 |
Symlink traversal in skill normalization allows file overwrite |
obsolete/not reproducible on current HEAD |
tools/lib/skill-utils.js | tools/scripts/normalize-frontmatter.js |
skill-utils.js now relies on lstatSync-based safe directory/file discovery, so normalization does not treat symlinked skill folders as writable local skills. |
tools/lib/skill-utils.js |
| 29 |
28 |
last30days skill passes user input directly to Bash command |
obsolete/not reproducible on current HEAD |
skills/last30days/SKILL.md |
The last30days skill still passes user input as a quoted value through a temp file, so the reported direct shell-injection sink does not reproduce. |
skills/last30days/SKILL.md |
| 30 |
29 |
Unvalidated YAML frontmatter can crash index generation |
duplicate of another finding |
tools/scripts/generate_index.py |
Same root cause/fix area as finding 18. |
tools/scripts/generate_index.py |
| 31 |
30 |
Predictable /tmp counter file enables local file clobbering |
obsolete/not reproducible on current HEAD |
skills/cc-skill-strategic-compact/suggest-compact.sh |
The strategic compact hook now stores state under XDG_STATE_HOME instead of predictable shared /tmp paths. |
tools/scripts/tests/local_temp_safety.test.js |
| 32 |
31 |
Symlink traversal risk in new sync script |
obsolete/not reproducible on current HEAD |
tools/scripts/sync_recommended_skills.sh |
sync_recommended_skills.sh now preserves symlinks with cp -RP and avoids the destructive glob-delete pattern from the original report. |
tools/scripts/tests/repo_hygiene_security.test.js |
| 33 |
32 |
skills_manager allows path traversal in enable/disable operations |
obsolete/not reproducible on current HEAD |
tools/scripts/skills_manager.py |
skills_manager.py now resolves candidate paths relative to the intended base directory and rejects traversal attempts. |
tools/scripts/tests/test_skills_manager_security.py |
| 34 |
33 |
Zip Slip risk in Office unpack scripts |
obsolete/not reproducible on current HEAD |
skills/docx-official/ooxml/scripts/unpack.py | skills/pptx-official/ooxml/scripts/unpack.py |
The Office unpack helpers now validate archive members and reject traversal/symlink-style entries before extraction. |
tools/scripts/tests/test_office_unpack_security.py |
sickn33