firefrost-gaming/antigravity-skills-reference
3
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

docs: add security findings triage for 2026-03-15

Browse Source
This commit is contained in:
sck_0
2026-03-15 08:48:58 +01:00
parent 6ca9aee56a
commit 662d2b25ed
2 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docs/maintainers/security-findings-triage-2026-03-15.csv Normal file
View File

@@ -0,0 +1,34 @@
finding_url,repository,repository_url,title,description,severity,status,detected_at,committed_at,author_email,assignee_name,assignee_email,has_patch,configured_scan_id,commit_hash,relevant_paths,resolution_reason,current_head_sha,current_paths,triage_status,root_cause,priority_bucket,canonical_finding,validation_reason,minimal_fix,test_plan,target_pr
https://chatgpt.com/codex/security/findings/9206906222ec81919b079cbff33f24cb,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Unsanitized frontmatter name enables path traversal in sync script,"sync_microsoft_skills.py v4 extracts the frontmatter `name` field from each SKILL.md and directly concatenates it with the target directory path. Because the value is not validated or sanitized, a malicious upstream SKILL.md could set `name: ../../../../.ssh` or an absolute path, causing the sync process to create directories and copy files outside the intended skills/ directory. This enables arbitrary file write/overwrite on the machine running the sync script (CI or maintainer workstation), which is a supply-chain risk if the upstream repo is compromised or a malicious contribution is synced.",high,new,2026-03-13T21:49:23.266050Z,2026-02-12 00:17:38 +0500,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,e7ae616385680e37e8b1a9a0327cd97796ac2778,scripts/sync_microsoft_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_microsoft_skills.py,still present and exploitable,Microsoft sync trusted frontmatter-derived flat names for filesystem writes and cleanup deletes.,filesystem-trust-boundary,Unsanitized frontmatter name enables path traversal in sync script,"On origin/main, sync_microsoft_skills.py used the parsed frontmatter name directly under TARGET_DIR and cleanup_previous_sync reused flat_name from attribution without constraining it to skills/.",Sanitize flat names to a single safe path segment and refuse cleanup/copy targets that resolve outside the cloned repo or local skills/ root.,python3 tools/scripts/tests/test_sync_microsoft_skills_security.py,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/36213642db54819183a4a3c2ed6a7baf,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Stored XSS via rehype-raw rendering of skill markdown,"The SkillDetail page now enables `rehype-raw` while rendering SKILL.md content. Skill markdown is sourced from the repo (and external syncs) and is effectively untrusted. With `rehype-raw`, any HTML inside SKILL.md is parsed into the DOM, allowing attackers to inject scripts or event handlers, resulting in stored XSS for visitors. There is no sanitization (e.g., `rehype-sanitize`) to mitigate this.",medium,new,2026-03-13T21:02:26.554268Z,2026-03-07 10:08:21 +0100,86960743+shubhamdevx@users.noreply.github.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,1b167e4ca10ae51d041d2d71c6b33dbbe4055bb5,apps/web-app/src/pages/SkillDetail.tsx,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,apps/web-app/src/pages/SkillDetail.tsx,obsolete/not reproducible on current HEAD,Historical rehype-raw usage in markdown rendering.,,,"On origin/main, SkillDetail renders markdown with react-markdown + remark-gfm + rehype-highlight only; rehype-raw is no longer imported or enabled.",n/a,n/a,
https://chatgpt.com/codex/security/findings/e01a4ba9a89c8191aff2edc3fa7e28ac,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink-following copy leaks host files in setup_web,"The updated copy routine in scripts/setup_web.js now uses fs.statSync, which follows symlinks, and copies targets as regular files or directories. This lets a malicious skill entry be a symlink to any file on the build host (e.g., ~/.ssh/id_rsa or CI secrets). When npm run app:setup runs, the script copies the resolved target into web-app/public/skills, potentially publishing sensitive host files in the generated assets.",medium,new,2026-03-13T21:20:07.506636Z,2026-03-02 09:29:59 +0100,zinzied@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,c8e1c0ef194ac824501ca78c0a0d6fd1d199ee6d,scripts/setup_web.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/setup_web.js,still present and exploitable,Local copy helpers dereferenced symlinks without constraining the resolved path to the intended skills root.,filesystem-trust-boundary,Symlink-following copy leaks host files in setup_web,"On origin/main, setup_web.js used fs.statSync and recursive copy on skills/, so a symlink inside skills could resolve to an arbitrary host file or directory and be copied into public assets.",Resolve symlinks only when their real path stays inside skills/; otherwise skip them and keep copying regular entries.,node tools/scripts/tests/symlink_safety.test.js && node tools/scripts/tests/copy_security.test.js,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/5d3d78e3a5848191bc5246f22a2c21f7,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Insecure install guidance allows remote script execution,"The added Apify actorization skill includes installation and Dockerfile instructions that execute remote scripts directly via `curl ... | bash`/`sh` (and PowerShell `irm ... | iex`) without integrity checks. It also recommends logging in with `apify login -t $APIFY_TOKEN`, which places the token on the command line where it can be exposed via process listings or shell history. Because these skills are intended for AI assistants to follow automatically, these instructions materially increase the chance of remote code execution if the hosted script is compromised or intercepted and can leak credentials.",medium,new,2026-03-13T21:22:44.902021Z,2026-03-01 10:02:50 +0100,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,2f55f046b928714faa7faf16e942fa651ad406e4,skills/apify-actorization/SKILL.md | skills/apify-actorization/references/cli-actorization.md,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/apify-actorization/SKILL.md,still present but low practical risk,Skill instructions recommended pipe-to-shell installs and token-on-command-line login.,shell-safety,Insecure install guidance allows remote script execution,"On origin/main, the Apify actorization skill still recommended curl/irm pipe-to-shell installation and apify login -t, which is documentation-only but directly instructs unsafe execution and credential handling.",Replace pipe-to-shell commands with package-manager guidance and remove command-line token examples.,node tools/scripts/tests/docs_security_content.test.js,codex/security-shell-safety
https://chatgpt.com/codex/security/findings/a80995d785dc8191a0e8fbd50b86fc0c,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,"setup_web.js now follows symlinks, enabling file exfiltration","The change to copyFolderSync now uses fs.statSync (which follows symlinks) and copies the resolved file or directory contents into web-app/public/skills. If an attacker can add a symlink inside skills (e.g., via a malicious PR or external sync) pointing to /etc/passwd or other sensitive files on the build host, running app:setup will include those files in the public build output. Previously, symlinks to files would trigger ENOTDIR and halt copying, preventing silent exfiltration. This introduces a symlink traversal/infoleak risk during build or local setup.",medium,new,2026-03-13T21:26:52.050223Z,2026-02-27 08:59:16 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,1e73502c3d666e34394ef4151523168f5223de46,scripts/setup_web.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/setup_web.js,duplicate of another finding,Local copy helpers dereferenced symlinks without constraining the resolved path to the intended skills root.,filesystem-trust-boundary,Symlink-following copy leaks host files in setup_web,Same origin/main behavior as finding 3: fs.statSync-based recursive copy in setup_web.js followed symlink targets during public asset setup.,Fix once in setup_web.js by constraining symlink resolution to the skills root.,node tools/scripts/tests/symlink_safety.test.js && node tools/scripts/tests/copy_security.test.js,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/f2380f065b848191b55c1b6767222232,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink traversal in web asset setup copies arbitrary files,"scripts/setup_web.js copies the entire skills directory into web-app/public via a custom recursive copier. The code only checks isFile() and treats everything else as a directory, which means symbolic links are followed. A malicious skill can include a symlink pointing outside the repo (e.g., /etc, CI secrets, or other host files). When app:setup or START_APP.bat runs, those external files are copied into public assets and can be exposed in the built site, resulting in an information leak from the build host.",medium,new,2026-03-13T21:39:44.118360Z,2026-02-24 09:44:01 +0100,zinzied@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,a3358466806dc5a4646d8c5e26c1a550484a5b1e,scripts/setup_web.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/setup_web.js,duplicate of another finding,Local copy helpers dereferenced symlinks without constraining the resolved path to the intended skills root.,filesystem-trust-boundary,Symlink-following copy leaks host files in setup_web,Same origin/main behavior as finding 3: the setup_web recursive copy followed symlink targets and copied their resolved content.,Fix once in setup_web.js by constraining symlink resolution to the skills root.,node tools/scripts/tests/symlink_safety.test.js && node tools/scripts/tests/copy_security.test.js,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/24940dbf717081919c799c7f3e1481e6,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink file copying in .github/skills sync leaks host files,"The commit adds find_github_skills() and a new sync loop for .github/skills entries. The code treats any directory under .github/skills as a skill, then blindly copies every file in that directory using Path.is_file() + shutil.copy2(). is_file() follows symlinks, so if a malicious upstream repo adds a symlink file (e.g., secrets.txt -> /etc/shadow) inside a .github/skills/<skill>/ directory, the sync will read and copy that host file into this repo. This is a supplychain information disclosure risk when maintainers run the script.",medium,new,2026-03-13T21:51:12.396892Z,2026-02-12 15:34:42 +0500,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,44e51f0ea92646afa82ff99c6ae5edaeb64b03e4,scripts/sync_microsoft_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_microsoft_skills.py,still present and exploitable,Microsoft sync resolved symlinked skill directories and copied files without proving the resolved source stayed inside the cloned repo.,filesystem-trust-boundary,Symlink file copying in .github/skills sync leaks host files,"On origin/main, find_skills_in_directory accepted symlinked skill dirs by item.resolve() and copy loops accepted regular files from resolved dirs without checking they remained under the clone root.",Reject symlink targets outside the clone root and copy only regular files whose resolved path stays under the clone root.,python3 tools/scripts/tests/test_sync_microsoft_skills_security.py,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/ad700289b03c8191a2b256e0b9a72e24,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlinked file copy in Microsoft skill sync can leak host data,"The newly added `scripts/sync_microsoft_skills.py` copies all non-SKILL files from the cloned Microsoft repository into `skills/official/microsoft`. It uses `Path.is_file()` and `shutil.copy2()` without disabling symlink following. If an attacker can introduce a symlinked file in the upstream repo (or a compromised mirror), the script will dereference it and copy the target file contents (e.g., `/proc/self/environ`, `~/.ssh/*`) into the skills directory. When run in CI or a maintainer environment, this enables unintended disclosure of host files and secrets through the generated artifacts.",medium,new,2026-03-13T21:49:30.432277Z,2026-02-11 20:36:09 +0500,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,17bce709dedfbbdbcc836c0ca24eaa85713fca66,scripts/sync_microsoft_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_microsoft_skills.py,duplicate of another finding,Microsoft sync resolved symlinked skill directories and copied files without proving the resolved source stayed inside the cloned repo.,filesystem-trust-boundary,Symlink file copying in .github/skills sync leaks host files,Same origin/main behavior as finding 7: the Microsoft sync path trusted resolved symlink targets and copied files from them.,Fix once in sync_microsoft_skills.py by constraining resolved paths to the clone root.,python3 tools/scripts/tests/test_sync_microsoft_skills_security.py,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/7dd6119817408191b7e18678576a958a,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Committed Python bytecode can hide malicious logic,"This update introduces compiled Python bytecode files (core.cpython-314.pyc and design_system.cpython-314.pyc) into the repository. When search.py imports core or design_system, Python will prefer a valid __pycache__ bytecode file over the source module if the timestamp/hash matches the runtime interpreter. This enables a supplychain backdoor: malicious code could be embedded in the .pyc while the .py source remains benign, leading to arbitrary code execution when users run the skill scripts.",medium,new,2026-03-13T22:32:57.904438Z,2026-01-16 17:34:54 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,faf478f38907e0929f921bcff73557d57ea97247,skills/ui-ux-pro-max/scripts/search.py | skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc,still present but low practical risk,Compiled Python bytecode was committed alongside source.,robustness,Committed Python bytecode can hide malicious logic,"On origin/main, tracked __pycache__ artifacts were still present under skills/ui-ux-pro-max/scripts, which is review-hostile but not independently exploitable.",Remove tracked bytecode artifacts and rely on source-only review plus .gitignore.,node tools/scripts/tests/repo_hygiene_security.test.js,codex/security-robustness
https://chatgpt.com/codex/security/findings/eee41bc6b7bc819186c798ae59fa94a2,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlinked SKILL.md can leak host files via index script,"scripts/generate_index.py walks the skills tree and opens any SKILL.md it finds. Because it does not verify that SKILL.md is a regular file within the skills directory, a contributor can add a SKILL.md symlink pointing to a sensitive file on the build host (e.g., ~/.ssh/id_rsa or /proc/self/environ). When maintainers run the script, it will read that file and embed the extracted content into skills_index.json, which may later be committed or published as an artifact. This is a supply-chain info disclosure risk introduced by the new script.",medium,new,2026-03-13T22:33:24.826296Z,2026-01-14 20:49:05 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,d32f89a21169fbc77bed59b325e3df17f85d2fad,scripts/generate_index.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/generate_index.py,still present but low practical risk,Index generation read symlinked SKILL.md files without checking that the target stayed inside the repo.,filesystem-trust-boundary,Symlinked SKILL.md can leak host files via index script,"On origin/main, generate_index.py opened every SKILL.md it found via os.walk and did not skip symlinked SKILL.md files, so a malicious local symlink could exfiltrate another file into index metadata generation.",Skip symlinked SKILL.md files during indexing.,python3 tools/scripts/tests/test_frontmatter_parsing_security.py,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/c0c1181e19dc81919d5b20f2288dc348,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,"Example loader trusts manifest paths, enabling file read","The added example loader builds file paths from skills_index.json metadata and reads SKILL.md without validating that the resolved path stays within the skills root or that it is not a symlink. If a malicious contributor supplies a crafted skills_index.json entry or a symlinked SKILL.md in the skills tree, a user who runs this loader and references that skill can end up reading and sending local file contents to the model. This is an information disclosure risk in supply-chain scenarios and should be mitigated by normalizing paths, enforcing a skillsRoot prefix check, and rejecting symlinks via lstat/realpath.",low,new,2026-03-13T20:55:25.060750Z,2026-03-11 15:42:35 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,a41f1a4d613c8c0acb424abaa11b6a6f84f3f0ba,examples/jetski-gemini-loader/loader.ts,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,docs/integrations/jetski-gemini-loader/loader.ts,obsolete/not reproducible on current HEAD,Historical manifest-path trust in the Jetski loader example.,,,"On origin/main, the loader example resolves the requested file and rejects any path whose path.relative escapes the configured skills root, so the reported direct file read no longer reproduces.",n/a,n/a,
https://chatgpt.com/codex/security/findings/bafe0096db1081919bad2ba2ec243f5e,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,TLS certificate verification disabled in new scrapers,"The newly added leiloeiros scraping utilities disable TLS certificate verification for all HTTP requests and Playwright page loads. The base scraper uses httpx.AsyncClient with verify=False and Playwright contexts with ignore_https_errors=True, and the fallback scraper repeats verify=False. This allows active network attackers to intercept or tamper with scraped content, potentially poisoning downstream data or leaking any credentials used by the scraper.",low,new,2026-03-13T21:25:34.569244Z,2026-03-07 10:04:07 +0100,renatogracie@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,61ec71c5c7b9b9eaa12504452deda8da8677ba48,skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py,still present but low practical risk,HTTP scrapers disabled TLS verification by default.,auth-integrity,TLS certificate verification disabled in new scrapers,"On origin/main, both the base scraper and the direct fallback client instantiated HTTP clients with verify=False / ignore_https_errors=True, which weakens transport integrity but is a local-run scraper risk rather than an application RCE.",Enable TLS verification by default and require an explicit environment opt-out for insecure targets.,python3 tools/scripts/tests/test_junta_tls_security.py,codex/security-auth-integrity
https://chatgpt.com/codex/security/findings/e9dcff2b3f0481918fc76060bd837fb8,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Complete bundle omits valid skill categories,"The new tools/lib/skill-filter.js defines SKILL_CATEGORIES with hardcoded values (core, architecture, etc.) that are not aligned with the real categories stored in skills_index.json (e.g., ""development""). The ""complete"" bundle derives its category list from Object.keys(SKILL_CATEGORIES), so any real category not present in the hardcoded list is silently excluded. This means getSkillsByBundle('complete') will omit many skills, defeating the intent of a complete bundle and potentially confusing consumers who expect full coverage.",low,new,2026-03-13T21:04:11.988883Z,2026-03-07 10:02:18 +0100,169171880+Sayeem3051@users.noreply.github.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,5f6f94b53f9b8afa02d020775a0a172af009baaa,tools/lib/skill-filter.js | skills_index.json,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/lib/skill-filter.js | tools/scripts/build-catalog.js | data/bundles.json,obsolete/not reproducible on current HEAD,Historical bundle-category omission in a helper path no longer driving shipped bundle data.,,,"On origin/main, shipped bundle data is generated by tools/scripts/build-catalog.js into data/bundles.json; the reported omission in tools/lib/skill-filter.js does not drive current shipped catalog data.",n/a,n/a,
https://chatgpt.com/codex/security/findings/279041383cc08191abdb9dfa99a03f7c,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Malformed frontmatter delimiter breaks YAML parsing for skills,"The commit replaces valid `license:` fields with lines that start with `---`, e.g. `--- Unknown` in `skills/alpha-vantage/SKILL.md`. The frontmatter parser in `lib/skill-utils.js` reads the block between the first and next `---` line and then parses it as YAML. A `---` marker inside the block is treated as a YAML document delimiter, which makes the frontmatter invalid or splits it into multiple documents. As a result, validators and index generation will report frontmatter parse errors and drop metadata for these skills. This is a regression introduced by the automated fixes.",low,new,2026-03-13T21:09:11.726502Z,2026-03-06 09:18:57 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,93d6badcee41fbacc26b427d3f8d5665ea25b7e6,skills/alpha-vantage/SKILL.md | lib/skill-utils.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/alpha-vantage/SKILL.md | tools/lib/skill-utils.js,still present but low practical risk,Malformed local SKILL.md frontmatter caused parser drift and validation noise.,robustness,Malformed frontmatter delimiter breaks YAML parsing for skills,"On origin/main, skills/alpha-vantage/SKILL.md still contained an extra delimiter token (--- Unknown), which caused parser warnings and broken metadata interpretation.",Repair the malformed frontmatter so the file is a valid YAML frontmatter document.,node tools/scripts/tests/repo_hygiene_security.test.js,codex/security-robustness
https://chatgpt.com/codex/security/findings/f4f1ce7ec10c81918140ad2ea30d7465,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,ws_listener writes sensitive events to predictable /tmp files,"The newly added skills/videodb/scripts/ws_listener.py writes WebSocket events, connection IDs, and PIDs to fixed filenames in a user-controllable output directory that defaults to /tmp. Files are created with default permissions and without safeguards against symlink/hardlink attacks. On multi-user systems this enables local attackers to read captured transcripts or overwrite arbitrary files if the listener is run with higher privileges and a malicious symlink is placed in /tmp.",low,new,2026-03-13T21:19:42.804366Z,2026-03-03 18:02:13 +0530,rohit@spext.co,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,21f7730bb5322b44eff60138ee20be25733f317e,skills/videodb/scripts/ws_listener.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/videodb/scripts/ws_listener.py,still present but low practical risk,A local helper defaulted to predictable shared temporary-file paths.,robustness,ws_listener writes sensitive events to predictable /tmp files,"On origin/main, ws_listener defaulted to /tmp for event, pid, and websocket-id files, which is a same-host local confidentiality risk rather than a remote exploit.",Default to a user-owned state directory instead of shared /tmp when no explicit output dir is provided.,node tools/scripts/tests/local_temp_safety.test.js,codex/security-robustness
https://chatgpt.com/codex/security/findings/774d10a364bc8191a4545e42cb6d75c9,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink traversal lets /skills/ serve arbitrary local files,"The commit adds a custom Vite middleware that serves files from the repo's skills directory. It only checks path traversal with path.resolve() and then uses fs.statSync/createReadStream on the original path. Because path.resolve() does not resolve symlinks and fs.statSync follows them, a symlink placed under skills (e.g., via a malicious skill sync or PR) can point to any file on the host. Requests like /skills/<symlink> will then leak those files. This is a local file disclosure risk if the dev server is reachable on a shared network or within a container.",low,new,2026-03-13T21:26:48.457589Z,2026-03-03 09:27:19 +0100,zinzied@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,7399b2973c3dee050c56e09325a30aba92278df6,web-app/refresh-skills-plugin.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,apps/web-app/refresh-skills-plugin.js,still present but low practical risk,The Vite dev plugin served requested files based on lexical path checks instead of safe realpath containment.,filesystem-trust-boundary,Symlink traversal lets /skills/ serve arbitrary local files,"On origin/main, refresh-skills-plugin.js used path.resolve(filePath).startsWith(...) and fs.statSync(filePath), so a symlink inside skills/ could still read a target outside the intended tree in local dev.",Resolve real paths and only serve files whose resolved path remains inside the skills root.,node tools/scripts/tests/symlink_safety.test.js,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/22e68f79d7f08191b5a2ae8de5c74a99,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Sync Skills endpoint follows symlinks from downloaded archive,"The commit adds a Vite dev-server middleware at /api/refresh-skills that downloads a GitHub ZIP, extracts it, and copies the extracted skills into the repo and web-app/public. The copy routine does not guard against symlinks or validate extracted content. If a malicious archive (e.g., compromised upstream repo or redirected download) includes a symlink under skills pointing outside the repo, copyFolderSync will follow it and copy arbitrary local files into web-app/public, potentially exposing sensitive data via the dev server. The endpoint is unauthenticated and invoked via a GET request from the UI, making it possible for a CSRF-style trigger if the dev server is exposed.",low,new,2026-03-13T21:21:24.441152Z,2026-03-02 09:56:15 +0100,zinzied@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,b42ab600ec7fad506e90e5f15a612df6b7122400,web-app/refresh-skills-plugin.js | web-app/src/pages/Home.jsx,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,apps/web-app/refresh-skills-plugin.js,duplicate of another finding,The Vite dev plugin served requested files based on lexical path checks instead of safe realpath containment.,filesystem-trust-boundary,Symlink traversal lets /skills/ serve arbitrary local files,"On origin/main, the stale Home.jsx path no longer exists, but the live issue is the same plugin root cause as finding 16: once symlinked content lands under skills/, the dev server trusts it by lexical path only.",Fix once in refresh-skills-plugin.js by resolving and constraining real paths.,node tools/scripts/tests/symlink_safety.test.js,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/188240e65ef8819190a3f34657172d78,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Validation crash if YAML frontmatter is not a mapping,"After switching to yaml.safe_load, parse_frontmatter can return a list or scalar when the frontmatter is not a YAML mapping. validate_skills() only checks for falsy metadata and then immediately indexes metadata[""name""], metadata[""description""], etc. If a malformed SKILL.md uses a sequence/scalar that contains strings like ""description"", the membership check passes and the subsequent dict-style access raises a TypeError, crashing the validation script. A malicious contributor could add such a frontmatter to break CI validation (tooling DoS).",low,new,2026-03-13T21:28:56.999912Z,2026-03-01 09:38:25 +0100,72440556+itsmeares@users.noreply.github.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,4a5f1234bb5edc54a85dbd136b9feeb43fad8e95,scripts/validate_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/validate_skills.py,still present but low practical risk,Frontmatter parsers assumed YAML always decoded to a mapping/object.,robustness,Validation crash if YAML frontmatter is not a mapping,"On origin/main, validate_skills.parse_frontmatter returned yaml.safe_load output directly; scalar YAML values were not rejected before downstream key access.",Reject non-mapping frontmatter early and return a validation error instead of passing scalar values downstream.,python3 tools/scripts/tests/test_frontmatter_parsing_security.py,codex/security-robustness
https://chatgpt.com/codex/security/findings/57c4c40bcaa48191964fd242c8c7c213,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Anonymous Supabase writes allow skill star tampering,"The new Supabase integration creates a public client in the browser and writes directly to the skill_stars table from the UI. The only anti-abuse control is a localStorage flag, which is trivially bypassed (clear storage or script direct API calls with the publishable key). If the table is configured to allow anonymous inserts/updates—as required for this feature—any network user can inflate star counts or spam rows, impacting data integrity and potentially costs.",low,new,2026-03-13T21:28:30.655363Z,2026-02-25 17:56:20 +0100,zinzied@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,68266007b9e3bd3fe4eccffd994a7d479eb03fdc,web-app/src/lib/supabase.js | web-app/src/pages/Home.jsx,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,apps/web-app/src/lib/supabase.ts | apps/web-app/src/hooks/useSkillStars.ts | apps/web-app/src/context/SkillContext.tsx,still present and exploitable,Browser code performed direct shared star writes with a public anon client and no repo-local server-side mediation.,auth-integrity,Anonymous Supabase writes allow skill star tampering,"Inference from source: on origin/main, useSkillStars performed a direct upsert to skill_stars from frontend code using the public anon client. The repo contains no server-side gate or versioned policy proving that writes are constrained.",Disable shared frontend writes by default and keep only local starring unless an explicit deployment-time opt-in is provided.,cd apps/web-app && npm test -- --run src/hooks/__tests__/useSkillStarsSecurity.test.ts,codex/security-auth-integrity
https://chatgpt.com/codex/security/findings/9e069e8cc0048191a5703a5ba70ca6ff,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Metadata fixer overwrites symlinked SKILL.md targets,"The newly added maintenance script walks the skills tree and opens any SKILL.md for writing. It does not check whether SKILL.md is a symlink or whether the resolved path stays within the repo. If an attacker contributes a skill directory where SKILL.md is a symlink to an arbitrary file (e.g., in CI or a maintainers workstation), running this script will overwrite that target with rewritten frontmatter. This is a classic symlink traversal/arbitrary file overwrite risk in build tooling.",low,new,2026-03-13T21:42:42.429276Z,2026-02-20 19:39:15 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,e36d6fd3b3f6c37967efd3ae60a5a25460d1f824,scripts/fix_skills_metadata.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/fix_skills_metadata.py,still present but low practical risk,Maintenance scripts rewrote symlinked SKILL.md targets without path safety checks.,filesystem-trust-boundary,Metadata fixer overwrites symlinked SKILL.md targets,"On origin/main, fix_skills_metadata.py opened and rewrote every discovered SKILL.md without skipping symlinked files, so a crafted symlink could modify another file.",Skip symlinked SKILL.md files and only mutate real local skill files with mapping frontmatter.,python3 tools/scripts/tests/test_fix_skills_metadata_security.py,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/e29b51f4ce848191a63ce491cf03f29f,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Installer now dereferences symlinks during copy,"This commit changes installs to always clone into a temporary directory and then copy the repos skills/ and docs/ into the target using copyRecursiveSync. copyRecursiveSync uses fs.statSync (not lstat) and recursively walks directories, which dereferences symlinks. If a compromised or malicious repo contains a symlink inside skills/ or docs/ pointing to a sensitive local path (e.g., ~/.ssh or /etc), the installer will read and copy those files into the skills directory. Previously, fresh installs used git clone directly, which preserves symlinks rather than copying their targets. This expands the attack surface to all installs and can lead to unintended disclosure or propagation of local files when skills are later used or shared.",low,new,2026-03-13T21:43:58.492792Z,2026-02-19 08:52:55 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,36ebea20bac8a13c1974accdc5df019b77b8c889,bin/install.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/bin/install.js,still present and exploitable,Installer copy logic dereferenced symlinks without constraining the resolved path to the cloned repo.,filesystem-trust-boundary,Installer now dereferences symlinks during copy,"On origin/main, copyRecursiveSync used fs.statSync on cloned content, so a malicious symlink in the repo could copy arbitrary local files into the install target.","Use lstat, resolve symlinks only when they stay inside the cloned repo root, and skip/ignore out-of-root links.",node tools/scripts/tests/copy_security.test.js,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/3d330bc804b881918c5aee016173d23a,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Installer merge path dereferences symlinks when copying,"When the target directory already exists and is not a git repo, the installer now clones the repo into a temp directory and copies it into the target. The new copyRecursiveSync function uses fs.statSync (not lstat) and fs.copyFileSync, which dereference symlinks. If a compromised or malicious repo includes a symlink that points outside the repo (e.g., /etc/passwd or /), the installer will read and copy that external file or directory into the target directory. This introduces a supply-chain style local file disclosure/DoS risk that did not exist when the script previously aborted on non-git directories.",low,new,2026-03-13T21:43:54.333304Z,2026-02-18 18:35:55 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,ac202f006274c93eb6d169cbac9e8e41ee9803ab,bin/install.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/bin/install.js,duplicate of another finding,Installer copy logic dereferenced symlinks without constraining the resolved path to the cloned repo.,filesystem-trust-boundary,Installer now dereferences symlinks during copy,Same origin/main behavior as finding 21: install.js dereferenced symlinks during install/merge copy.,Fix once in install.js by constraining or skipping symlink resolution.,node tools/scripts/tests/copy_security.test.js,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/9750c7b5f2648191b70db89c0744cb34,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Cleanup sync deletes arbitrary paths via flat_name,"The new cleanup_previous_sync routine loads docs/microsoft-skills-attribution.json and iterates each skill's flat_name to build a deletion path. Because flat_name is not validated or constrained to a safe filename, a crafted entry containing path traversal (e.g., ""../../etc"") resolves outside TARGET_DIR. When the maintainer runs the sync script, shutil.rmtree will delete directories outside the repo, leading to destructive filesystem writes. A malicious PR or compromised attribution file could exploit this.",low,new,2026-03-13T21:50:10.785722Z,2026-02-12 00:38:24 +0500,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,35556e030676fa458d7ec7c7c23d741da37a7c44,scripts/sync_microsoft_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_microsoft_skills.py,duplicate of another finding,Microsoft sync trusted frontmatter-derived flat names for filesystem writes and cleanup deletes.,filesystem-trust-boundary,Unsanitized frontmatter name enables path traversal in sync script,Same origin/main root cause as finding 1: cleanup_previous_sync used flat_name from attribution without constraining it to skills/.,Fix once in sync_microsoft_skills.py by sanitizing flat names before delete/copy operations.,python3 tools/scripts/tests/test_sync_microsoft_skills_security.py,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/85cc2dab67f08191a8acfc493fa68e9f,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Audio transcription example allows Python code injection,"The newly added skills/audio-transcriber/examples/basic-transcription.sh uses an unquoted heredoc (python3 << EOF) and directly embeds shell variables like $AUDIO_FILE and $MODEL inside Python string literals. Because the heredoc is unquoted, any quotes or Python syntax contained in a malicious filename (or MODEL environment value) are injected into the Python script at runtime. If a user runs the script on an attacker-supplied audio file with a crafted name, the injected code can execute with the user's privileges.",low,new,2026-03-13T21:58:03.406739Z,2026-02-04 17:37:45 -0300,eric.andrade@avanade.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,801c8fa47555ac331b83ba3040c71ed075dea8c7,skills/audio-transcriber/examples/basic-transcription.sh,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/audio-transcriber/examples/basic-transcription.sh,still present but low practical risk,Example shell script interpolated untrusted shell variables directly into embedded Python code.,shell-safety,Audio transcription example allows Python code injection,"On origin/main, basic-transcription.sh used an unquoted heredoc and embedded $AUDIO_FILE/$MODEL/$TRANSCRIBER directly into Python source, so crafted input could break quoting and inject code in a local example script.",Use quoted heredocs and pass values through environment variables instead of interpolating them into Python source.,node tools/scripts/tests/docs_security_content.test.js,codex/security-shell-safety
https://chatgpt.com/codex/security/findings/6d47effff9a88191a329efd81b65fe5e,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Unbounded recursive skill traversal can crash catalog build,"The newly added listSkillIdsRecursive function walks every subdirectory under skills with unbounded recursion and no cycle/depth checks. A malicious or accidental deeply nested directory tree (or a symlink loop on filesystems that report symlinks as directories) can exhaust the Node.js call stack and crash catalog generation, breaking CI/builds.",low,new,2026-03-13T22:04:01.470812Z,2026-02-02 22:04:20 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,263c5076842e38bcde7a5f353ae3ec089c6f0cfb,lib/skill-utils.js | scripts/build-catalog.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/lib/skill-utils.js | tools/scripts/build-catalog.js,obsolete/not reproducible on current HEAD,Historical concern about recursive traversal following symlink loops.,,,"On origin/main, listSkillIdsRecursive walks Dirent directories from readdirSync({withFileTypes:true}); symlink entries are not treated as directories, so the reported unbounded symlink recursion does not reproduce.",n/a,n/a,
https://chatgpt.com/codex/security/findings/b4a2caf37cf88191af9bd61ff52b082b,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Release scripts still use root skills_index.json path,"The commit relocated skills_index.json into the data/ directory, but the release and README update scripts still read/write the index from the repository root. Running the release cycle now attempts to open skills_index.json at the old location and will fail or regenerate a new file in the wrong place, leaving the canonical data/skills_index.json stale. This is a regression caused by the file move.",low,new,2026-03-13T22:17:55.097915Z,2026-01-28 17:38:45 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,76e0dffad7a40edda8093fa76b8d8af32bec19b5,scripts/update_readme.py | scripts/generate_index.py | scripts/release_cycle.sh,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/update_readme.py | tools/scripts/generate_index.py | tools/scripts/release_cycle.sh,obsolete/not reproducible on current HEAD,Historical path expectation mismatch for generated index output.,,,"On origin/main, root skills_index.json is the canonical generated index and release_cycle.sh is only a wrapper around release_workflow.js, so the reported path mismatch no longer reproduces as a defect.",n/a,n/a,
https://chatgpt.com/codex/security/findings/9d9af398dcc88191be1f6f927f559775,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink traversal in skill normalization allows file overwrite,"The commit introduces listSkillIds in lib/skill-utils.js, which uses fs.statSync and therefore follows symlinks when enumerating skill folders. scripts/normalize-frontmatter.js then derives a SKILL.md path from each entry and rewrites it with fs.writeFileSync. If an attacker adds a symlinked skill directory (e.g., skills/evil -> /etc), running normalize-frontmatter will follow the symlink and overwrite /etc/SKILL.md or any target file named SKILL.md, allowing arbitrary file modification on the maintainer/CI host. Use lstatSync to reject symlinks or resolve real paths and enforce they stay within the skills directory before reading/writing.",low,new,2026-03-13T22:15:38.637449Z,2026-01-28 17:15:26 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,0ffee448285d6830e442b769f9002f7a9dba91b0,lib/skill-utils.js | scripts/normalize-frontmatter.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/lib/skill-utils.js | tools/scripts/normalize-frontmatter.js,still present but low practical risk,Skill discovery used stat-based directory checks that treated symlinked skill dirs/files as local mutable content.,filesystem-trust-boundary,Symlink traversal in skill normalization allows file overwrite,"On origin/main, listSkillIds used fs.statSync and fs.existsSync on child skill dirs, so normalize-frontmatter could treat symlinked skill folders as writable local skills.",Use lstat-based discovery and skip symlinked skill dirs / SKILL.md entries before normalization.,node tools/scripts/tests/skill_utils_security.test.js,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/1a06ce21006c8191a1f482569642fa7e,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,last30days skill passes user input directly to Bash command,"The skill instructs the agent to execute `python3 ... ""$ARGUMENTS""` via the Bash tool. Because `$ARGUMENTS` is derived from the users topic and is only wrapped in double quotes, shell command substitution (e.g., `$(...)` or backticks) will still be evaluated. An attacker who can influence the topic (direct user input or prompt injection) can execute arbitrary shell commands in the Claude Code environment.",low,new,2026-03-13T22:21:45.958278Z,2026-01-26 19:05:37 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,c7f7f23bd7ecce8a78ebb19cab04fc1569d5e01b,skills/last30days/SKILL.md,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/last30days/SKILL.md,obsolete/not reproducible on current HEAD,Historical concern about unquoted shell interpolation in skill instructions.,,,"On origin/main, the documented command passes ""$ARGUMENTS"" as a quoted argument to Python, so the reported direct Bash injection sink does not reproduce from the current text.",n/a,n/a,
https://chatgpt.com/codex/security/findings/e3a91005557c8191978bb32695394919,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Unvalidated YAML frontmatter can crash index generation,"The commit switches frontmatter parsing to yaml.safe_load but then assumes the result is a dict of string values. PyYAML can return non-mapping types (e.g., a scalar or list) or non-string values (timestamps, binaries). If a malicious SKILL.md uses such YAML, the merge step can raise TypeError (e.g., metadata is a string/list) or json.dump can fail on non-JSON-serializable objects. Because generate_index.py runs in CI on untrusted skill content, this is a build-time availability issue that can be exploited to crash or block the pipeline.",low,new,2026-03-13T22:23:04.494598Z,2026-01-26 08:30:16 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,9891cb28edfd8405bf3f865c01b8f04ca9e8f9d7,scripts/generate_index.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/generate_index.py,duplicate of another finding,Frontmatter parsers assumed YAML always decoded to a mapping/object.,robustness,Validation crash if YAML frontmatter is not a mapping,"Same origin/main root cause as finding 18, but in generate_index.py instead of validate_skills.py: scalar YAML values were passed through without a mapping check.",Fix once by rejecting non-mapping frontmatter in both parser paths.,python3 tools/scripts/tests/test_frontmatter_parsing_security.py,codex/security-robustness
https://chatgpt.com/codex/security/findings/f21c1074a2148191bb8bcb18b171c39b,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Predictable /tmp counter file enables local file clobbering,"The newly added suggest-compact hook script uses a predictable filename in /tmp (""/tmp/claude-tool-count-$$"") and writes to it with shell redirection. In a multi-user environment, another local user can pre-create a symlink at that path pointing to a victim-owned file. When the victim runs the hook, the script will follow the symlink and truncate/overwrite the target file. This is a classic insecure temporary file issue; use mktemp or a per-user directory with safe file creation to avoid symlink clobbering.",low,new,2026-03-13T22:30:51.612037Z,2026-01-21 17:49:56 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,a9ff10d5111d2cc19f1222790ff58a3185608e01,skills/cc-skill-strategic-compact/suggest-compact.sh,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/cc-skill-strategic-compact/suggest-compact.sh,still present but low practical risk,A local helper used a predictable shared temporary-file path.,robustness,Predictable /tmp counter file enables local file clobbering,"On origin/main, suggest-compact.sh stored state in /tmp/claude-tool-count-$$, which is predictable and shared-host local-only.",Move the counter file into a user-owned state directory.,node tools/scripts/tests/local_temp_safety.test.js,codex/security-robustness
https://chatgpt.com/codex/security/findings/d82004aa844081918c6abb75d578e5fa,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink traversal risk in new sync script,"The newly added scripts/sync_recommended_skills.sh clears the local skills library by changing into the directory and running `rm -rf` on every `*/` match. In bash, `*/` matches symlinks to directories and `rm -rf symlink/` follows the link, deleting the target directorys contents. If a malicious or compromised skill installation can place a symlink inside the local library (or a local attacker can create one), running this script will delete files outside the intended skills directory. This is a symlink traversal / destructive delete vulnerability affecting local integrity and availability.",low,new,2026-03-13T22:33:00.513276Z,2026-01-18 07:52:10 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,95eeb1dd4b95033547e57a668b4725ea0c33f4dd,scripts/sync_recommended_skills.sh,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_recommended_skills.sh,still present but low practical risk,A local sync helper used recursive copy semantics that could dereference repo symlinks.,filesystem-trust-boundary,Symlink traversal risk in new sync script,"On origin/main, sync_recommended_skills.sh copied a fixed allowlist from the repo with cp -r, which is local-only but still trusts symlink handling in source content.",Use cp -RP so symlinks are preserved instead of dereferenced.,node tools/scripts/tests/repo_hygiene_security.test.js,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/3ba537afc7948191a311d56c49c1ab03,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,skills_manager allows path traversal in enable/disable operations,"The newly added scripts/skills_manager.py constructs source and target paths by concatenating the user-supplied skill name to SKILLS_DIR or DISABLED_DIR without validating that the resolved paths remain within those directories. An attacker (or malicious automation input) can supply values like ""../scripts"" or ""../../.git"" to move arbitrary directories in the repo, resulting in unintended file moves or data loss. enable_skill has no guard for path traversal, and disable_skill only blocks dot-prefixed names, not ""../"" traversal.",low,new,2026-03-13T22:32:42.251933Z,2026-01-16 17:56:47 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,4ee569d5d5e89a96b6be43dd6100f6cae5299229,scripts/skills_manager.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/skills_manager.py,still present but low practical risk,The local skills manager trusted unsanitized skill names in filesystem rename operations.,filesystem-trust-boundary,skills_manager allows path traversal in enable/disable operations,"On origin/main, enable_skill/disable_skill joined the user-supplied skill name directly under skills/.disabled and skills/, so ../ segments could escape the intended root.",Resolve the requested path and reject names that escape the intended skills directory.,python3 tools/scripts/tests/test_skills_manager_security.py,codex/security-filesystem-trust-boundary
https://chatgpt.com/codex/security/findings/73bc17c96c988191be28a2da534aad7c,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Zip Slip risk in Office unpack scripts,"The Office file unpack helpers for both docx and pptx use zipfile.ZipFile(...).extractall(output_path) directly on the provided Office file. If a malicious Office document contains entries with ../ or absolute paths, extractall will write outside the intended output directory (Zip Slip), enabling arbitrary file overwrite on the machine running the script. Because these scripts are meant to run on potentially untrusted documents, the lack of path validation is a security issue.",low,new,2026-03-13T22:35:07.638286Z,2026-01-14 18:48:08 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,7f46ed8ca119949ad3b406bc85e727db84ee6ece,skills/docx/ooxml/scripts/unpack.py | skills/pptx/ooxml/scripts/unpack.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/docx-official/ooxml/scripts/unpack.py | skills/pptx-official/ooxml/scripts/unpack.py,still present and exploitable,Office unpack helpers extracted ZIP members without validating that archive entries stayed inside the output directory.,filesystem-trust-boundary,Zip Slip risk in Office unpack scripts,"On origin/main, both unpack.py scripts called ZipFile.extractall(output_path) directly, so a malicious Office archive could write outside the requested directory.",Validate each archive member path before extraction and reject path-traversal entries.,python3 tools/scripts/tests/test_office_unpack_security.py,codex/security-filesystem-trust-boundary
1 finding_url repository repository_url title description severity status detected_at committed_at author_email assignee_name assignee_email has_patch configured_scan_id commit_hash relevant_paths resolution_reason current_head_sha current_paths triage_status root_cause priority_bucket canonical_finding validation_reason minimal_fix test_plan target_pr
2 https://chatgpt.com/codex/security/findings/9206906222ec81919b079cbff33f24cb sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Unsanitized frontmatter name enables path traversal in sync script sync_microsoft_skills.py v4 extracts the frontmatter `name` field from each SKILL.md and directly concatenates it with the target directory path. Because the value is not validated or sanitized, a malicious upstream SKILL.md could set `name: ../../../../.ssh` or an absolute path, causing the sync process to create directories and copy files outside the intended skills/ directory. This enables arbitrary file write/overwrite on the machine running the sync script (CI or maintainer workstation), which is a supply-chain risk if the upstream repo is compromised or a malicious contribution is synced. high new 2026-03-13T21:49:23.266050Z 2026-02-12 00:17:38 +0500 ar27111994@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 e7ae616385680e37e8b1a9a0327cd97796ac2778 scripts/sync_microsoft_skills.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/sync_microsoft_skills.py still present and exploitable Microsoft sync trusted frontmatter-derived flat names for filesystem writes and cleanup deletes. filesystem-trust-boundary Unsanitized frontmatter name enables path traversal in sync script On origin/main, sync_microsoft_skills.py used the parsed frontmatter name directly under TARGET_DIR and cleanup_previous_sync reused flat_name from attribution without constraining it to skills/. Sanitize flat names to a single safe path segment and refuse cleanup/copy targets that resolve outside the cloned repo or local skills/ root. python3 tools/scripts/tests/test_sync_microsoft_skills_security.py codex/security-filesystem-trust-boundary
3 https://chatgpt.com/codex/security/findings/36213642db54819183a4a3c2ed6a7baf sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Stored XSS via rehype-raw rendering of skill markdown The SkillDetail page now enables `rehype-raw` while rendering SKILL.md content. Skill markdown is sourced from the repo (and external syncs) and is effectively untrusted. With `rehype-raw`, any HTML inside SKILL.md is parsed into the DOM, allowing attackers to inject scripts or event handlers, resulting in stored XSS for visitors. There is no sanitization (e.g., `rehype-sanitize`) to mitigate this. medium new 2026-03-13T21:02:26.554268Z 2026-03-07 10:08:21 +0100 86960743+shubhamdevx@users.noreply.github.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 1b167e4ca10ae51d041d2d71c6b33dbbe4055bb5 apps/web-app/src/pages/SkillDetail.tsx 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 apps/web-app/src/pages/SkillDetail.tsx obsolete/not reproducible on current HEAD Historical rehype-raw usage in markdown rendering. On origin/main, SkillDetail renders markdown with react-markdown + remark-gfm + rehype-highlight only; rehype-raw is no longer imported or enabled. n/a n/a
4 https://chatgpt.com/codex/security/findings/e01a4ba9a89c8191aff2edc3fa7e28ac sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Symlink-following copy leaks host files in setup_web The updated copy routine in scripts/setup_web.js now uses fs.statSync, which follows symlinks, and copies targets as regular files or directories. This lets a malicious skill entry be a symlink to any file on the build host (e.g., ~/.ssh/id_rsa or CI secrets). When npm run app:setup runs, the script copies the resolved target into web-app/public/skills, potentially publishing sensitive host files in the generated assets. medium new 2026-03-13T21:20:07.506636Z 2026-03-02 09:29:59 +0100 zinzied@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 c8e1c0ef194ac824501ca78c0a0d6fd1d199ee6d scripts/setup_web.js 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/setup_web.js still present and exploitable Local copy helpers dereferenced symlinks without constraining the resolved path to the intended skills root. filesystem-trust-boundary Symlink-following copy leaks host files in setup_web On origin/main, setup_web.js used fs.statSync and recursive copy on skills/, so a symlink inside skills could resolve to an arbitrary host file or directory and be copied into public assets. Resolve symlinks only when their real path stays inside skills/; otherwise skip them and keep copying regular entries. node tools/scripts/tests/symlink_safety.test.js && node tools/scripts/tests/copy_security.test.js codex/security-filesystem-trust-boundary
5 https://chatgpt.com/codex/security/findings/5d3d78e3a5848191bc5246f22a2c21f7 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Insecure install guidance allows remote script execution The added Apify actorization skill includes installation and Dockerfile instructions that execute remote scripts directly via `curl ... | bash`/`sh` (and PowerShell `irm ... | iex`) without integrity checks. It also recommends logging in with `apify login -t $APIFY_TOKEN`, which places the token on the command line where it can be exposed via process listings or shell history. Because these skills are intended for AI assistants to follow automatically, these instructions materially increase the chance of remote code execution if the hosted script is compromised or intercepted and can leak credentials. medium new 2026-03-13T21:22:44.902021Z 2026-03-01 10:02:50 +0100 ar27111994@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 2f55f046b928714faa7faf16e942fa651ad406e4 skills/apify-actorization/SKILL.md | skills/apify-actorization/references/cli-actorization.md 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 skills/apify-actorization/SKILL.md still present but low practical risk Skill instructions recommended pipe-to-shell installs and token-on-command-line login. shell-safety Insecure install guidance allows remote script execution On origin/main, the Apify actorization skill still recommended curl/irm pipe-to-shell installation and apify login -t, which is documentation-only but directly instructs unsafe execution and credential handling. Replace pipe-to-shell commands with package-manager guidance and remove command-line token examples. node tools/scripts/tests/docs_security_content.test.js codex/security-shell-safety
6 https://chatgpt.com/codex/security/findings/a80995d785dc8191a0e8fbd50b86fc0c sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills setup_web.js now follows symlinks, enabling file exfiltration The change to copyFolderSync now uses fs.statSync (which follows symlinks) and copies the resolved file or directory contents into web-app/public/skills. If an attacker can add a symlink inside skills (e.g., via a malicious PR or external sync) pointing to /etc/passwd or other sensitive files on the build host, running app:setup will include those files in the public build output. Previously, symlinks to files would trigger ENOTDIR and halt copying, preventing silent exfiltration. This introduces a symlink traversal/infoleak risk during build or local setup. medium new 2026-03-13T21:26:52.050223Z 2026-02-27 08:59:16 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 1e73502c3d666e34394ef4151523168f5223de46 scripts/setup_web.js 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/setup_web.js duplicate of another finding Local copy helpers dereferenced symlinks without constraining the resolved path to the intended skills root. filesystem-trust-boundary Symlink-following copy leaks host files in setup_web Same origin/main behavior as finding 3: fs.statSync-based recursive copy in setup_web.js followed symlink targets during public asset setup. Fix once in setup_web.js by constraining symlink resolution to the skills root. node tools/scripts/tests/symlink_safety.test.js && node tools/scripts/tests/copy_security.test.js codex/security-filesystem-trust-boundary
7 https://chatgpt.com/codex/security/findings/f2380f065b848191b55c1b6767222232 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Symlink traversal in web asset setup copies arbitrary files scripts/setup_web.js copies the entire skills directory into web-app/public via a custom recursive copier. The code only checks isFile() and treats everything else as a directory, which means symbolic links are followed. A malicious skill can include a symlink pointing outside the repo (e.g., /etc, CI secrets, or other host files). When app:setup or START_APP.bat runs, those external files are copied into public assets and can be exposed in the built site, resulting in an information leak from the build host. medium new 2026-03-13T21:39:44.118360Z 2026-02-24 09:44:01 +0100 zinzied@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 a3358466806dc5a4646d8c5e26c1a550484a5b1e scripts/setup_web.js 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/setup_web.js duplicate of another finding Local copy helpers dereferenced symlinks without constraining the resolved path to the intended skills root. filesystem-trust-boundary Symlink-following copy leaks host files in setup_web Same origin/main behavior as finding 3: the setup_web recursive copy followed symlink targets and copied their resolved content. Fix once in setup_web.js by constraining symlink resolution to the skills root. node tools/scripts/tests/symlink_safety.test.js && node tools/scripts/tests/copy_security.test.js codex/security-filesystem-trust-boundary
8 https://chatgpt.com/codex/security/findings/24940dbf717081919c799c7f3e1481e6 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Symlink file copying in .github/skills sync leaks host files The commit adds find_github_skills() and a new sync loop for .github/skills entries. The code treats any directory under .github/skills as a skill, then blindly copies every file in that directory using Path.is_file() + shutil.copy2(). is_file() follows symlinks, so if a malicious upstream repo adds a symlink file (e.g., secrets.txt -> /etc/shadow) inside a .github/skills/<skill>/ directory, the sync will read and copy that host file into this repo. This is a supply‑chain information disclosure risk when maintainers run the script. medium new 2026-03-13T21:51:12.396892Z 2026-02-12 15:34:42 +0500 ar27111994@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 44e51f0ea92646afa82ff99c6ae5edaeb64b03e4 scripts/sync_microsoft_skills.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/sync_microsoft_skills.py still present and exploitable Microsoft sync resolved symlinked skill directories and copied files without proving the resolved source stayed inside the cloned repo. filesystem-trust-boundary Symlink file copying in .github/skills sync leaks host files On origin/main, find_skills_in_directory accepted symlinked skill dirs by item.resolve() and copy loops accepted regular files from resolved dirs without checking they remained under the clone root. Reject symlink targets outside the clone root and copy only regular files whose resolved path stays under the clone root. python3 tools/scripts/tests/test_sync_microsoft_skills_security.py codex/security-filesystem-trust-boundary
9 https://chatgpt.com/codex/security/findings/ad700289b03c8191a2b256e0b9a72e24 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Symlinked file copy in Microsoft skill sync can leak host data The newly added `scripts/sync_microsoft_skills.py` copies all non-SKILL files from the cloned Microsoft repository into `skills/official/microsoft`. It uses `Path.is_file()` and `shutil.copy2()` without disabling symlink following. If an attacker can introduce a symlinked file in the upstream repo (or a compromised mirror), the script will dereference it and copy the target file contents (e.g., `/proc/self/environ`, `~/.ssh/*`) into the skills directory. When run in CI or a maintainer environment, this enables unintended disclosure of host files and secrets through the generated artifacts. medium new 2026-03-13T21:49:30.432277Z 2026-02-11 20:36:09 +0500 ar27111994@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 17bce709dedfbbdbcc836c0ca24eaa85713fca66 scripts/sync_microsoft_skills.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/sync_microsoft_skills.py duplicate of another finding Microsoft sync resolved symlinked skill directories and copied files without proving the resolved source stayed inside the cloned repo. filesystem-trust-boundary Symlink file copying in .github/skills sync leaks host files Same origin/main behavior as finding 7: the Microsoft sync path trusted resolved symlink targets and copied files from them. Fix once in sync_microsoft_skills.py by constraining resolved paths to the clone root. python3 tools/scripts/tests/test_sync_microsoft_skills_security.py codex/security-filesystem-trust-boundary
10 https://chatgpt.com/codex/security/findings/7dd6119817408191b7e18678576a958a sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Committed Python bytecode can hide malicious logic This update introduces compiled Python bytecode files (core.cpython-314.pyc and design_system.cpython-314.pyc) into the repository. When search.py imports core or design_system, Python will prefer a valid __pycache__ bytecode file over the source module if the timestamp/hash matches the runtime interpreter. This enables a supply‑chain backdoor: malicious code could be embedded in the .pyc while the .py source remains benign, leading to arbitrary code execution when users run the skill scripts. medium new 2026-03-13T22:32:57.904438Z 2026-01-16 17:34:54 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 faf478f38907e0929f921bcff73557d57ea97247 skills/ui-ux-pro-max/scripts/search.py | skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc still present but low practical risk Compiled Python bytecode was committed alongside source. robustness Committed Python bytecode can hide malicious logic On origin/main, tracked __pycache__ artifacts were still present under skills/ui-ux-pro-max/scripts, which is review-hostile but not independently exploitable. Remove tracked bytecode artifacts and rely on source-only review plus .gitignore. node tools/scripts/tests/repo_hygiene_security.test.js codex/security-robustness
11 https://chatgpt.com/codex/security/findings/eee41bc6b7bc819186c798ae59fa94a2 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Symlinked SKILL.md can leak host files via index script scripts/generate_index.py walks the skills tree and opens any SKILL.md it finds. Because it does not verify that SKILL.md is a regular file within the skills directory, a contributor can add a SKILL.md symlink pointing to a sensitive file on the build host (e.g., ~/.ssh/id_rsa or /proc/self/environ). When maintainers run the script, it will read that file and embed the extracted content into skills_index.json, which may later be committed or published as an artifact. This is a supply-chain info disclosure risk introduced by the new script. medium new 2026-03-13T22:33:24.826296Z 2026-01-14 20:49:05 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 d32f89a21169fbc77bed59b325e3df17f85d2fad scripts/generate_index.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/generate_index.py still present but low practical risk Index generation read symlinked SKILL.md files without checking that the target stayed inside the repo. filesystem-trust-boundary Symlinked SKILL.md can leak host files via index script On origin/main, generate_index.py opened every SKILL.md it found via os.walk and did not skip symlinked SKILL.md files, so a malicious local symlink could exfiltrate another file into index metadata generation. Skip symlinked SKILL.md files during indexing. python3 tools/scripts/tests/test_frontmatter_parsing_security.py codex/security-filesystem-trust-boundary
12 https://chatgpt.com/codex/security/findings/c0c1181e19dc81919d5b20f2288dc348 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Example loader trusts manifest paths, enabling file read The added example loader builds file paths from skills_index.json metadata and reads SKILL.md without validating that the resolved path stays within the skills root or that it is not a symlink. If a malicious contributor supplies a crafted skills_index.json entry or a symlinked SKILL.md in the skills tree, a user who runs this loader and references that skill can end up reading and sending local file contents to the model. This is an information disclosure risk in supply-chain scenarios and should be mitigated by normalizing paths, enforcing a skillsRoot prefix check, and rejecting symlinks via lstat/realpath. low new 2026-03-13T20:55:25.060750Z 2026-03-11 15:42:35 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 a41f1a4d613c8c0acb424abaa11b6a6f84f3f0ba examples/jetski-gemini-loader/loader.ts 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 docs/integrations/jetski-gemini-loader/loader.ts obsolete/not reproducible on current HEAD Historical manifest-path trust in the Jetski loader example. On origin/main, the loader example resolves the requested file and rejects any path whose path.relative escapes the configured skills root, so the reported direct file read no longer reproduces. n/a n/a
13 https://chatgpt.com/codex/security/findings/bafe0096db1081919bad2ba2ec243f5e sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills TLS certificate verification disabled in new scrapers The newly added leiloeiros scraping utilities disable TLS certificate verification for all HTTP requests and Playwright page loads. The base scraper uses httpx.AsyncClient with verify=False and Playwright contexts with ignore_https_errors=True, and the fallback scraper repeats verify=False. This allows active network attackers to intercept or tamper with scraped content, potentially poisoning downstream data or leaking any credentials used by the scraper. low new 2026-03-13T21:25:34.569244Z 2026-03-07 10:04:07 +0100 renatogracie@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 61ec71c5c7b9b9eaa12504452deda8da8677ba48 skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py still present but low practical risk HTTP scrapers disabled TLS verification by default. auth-integrity TLS certificate verification disabled in new scrapers On origin/main, both the base scraper and the direct fallback client instantiated HTTP clients with verify=False / ignore_https_errors=True, which weakens transport integrity but is a local-run scraper risk rather than an application RCE. Enable TLS verification by default and require an explicit environment opt-out for insecure targets. python3 tools/scripts/tests/test_junta_tls_security.py codex/security-auth-integrity
14 https://chatgpt.com/codex/security/findings/e9dcff2b3f0481918fc76060bd837fb8 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Complete bundle omits valid skill categories The new tools/lib/skill-filter.js defines SKILL_CATEGORIES with hardcoded values (core, architecture, etc.) that are not aligned with the real categories stored in skills_index.json (e.g., "development"). The "complete" bundle derives its category list from Object.keys(SKILL_CATEGORIES), so any real category not present in the hardcoded list is silently excluded. This means getSkillsByBundle('complete') will omit many skills, defeating the intent of a complete bundle and potentially confusing consumers who expect full coverage. low new 2026-03-13T21:04:11.988883Z 2026-03-07 10:02:18 +0100 169171880+Sayeem3051@users.noreply.github.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 5f6f94b53f9b8afa02d020775a0a172af009baaa tools/lib/skill-filter.js | skills_index.json 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/lib/skill-filter.js | tools/scripts/build-catalog.js | data/bundles.json obsolete/not reproducible on current HEAD Historical bundle-category omission in a helper path no longer driving shipped bundle data. On origin/main, shipped bundle data is generated by tools/scripts/build-catalog.js into data/bundles.json; the reported omission in tools/lib/skill-filter.js does not drive current shipped catalog data. n/a n/a
15 https://chatgpt.com/codex/security/findings/279041383cc08191abdb9dfa99a03f7c sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Malformed frontmatter delimiter breaks YAML parsing for skills The commit replaces valid `license:` fields with lines that start with `---`, e.g. `--- Unknown` in `skills/alpha-vantage/SKILL.md`. The frontmatter parser in `lib/skill-utils.js` reads the block between the first and next `---` line and then parses it as YAML. A `---` marker inside the block is treated as a YAML document delimiter, which makes the frontmatter invalid or splits it into multiple documents. As a result, validators and index generation will report frontmatter parse errors and drop metadata for these skills. This is a regression introduced by the automated fixes. low new 2026-03-13T21:09:11.726502Z 2026-03-06 09:18:57 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 93d6badcee41fbacc26b427d3f8d5665ea25b7e6 skills/alpha-vantage/SKILL.md | lib/skill-utils.js 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 skills/alpha-vantage/SKILL.md | tools/lib/skill-utils.js still present but low practical risk Malformed local SKILL.md frontmatter caused parser drift and validation noise. robustness Malformed frontmatter delimiter breaks YAML parsing for skills On origin/main, skills/alpha-vantage/SKILL.md still contained an extra delimiter token (--- Unknown), which caused parser warnings and broken metadata interpretation. Repair the malformed frontmatter so the file is a valid YAML frontmatter document. node tools/scripts/tests/repo_hygiene_security.test.js codex/security-robustness
16 https://chatgpt.com/codex/security/findings/f4f1ce7ec10c81918140ad2ea30d7465 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills ws_listener writes sensitive events to predictable /tmp files The newly added skills/videodb/scripts/ws_listener.py writes WebSocket events, connection IDs, and PIDs to fixed filenames in a user-controllable output directory that defaults to /tmp. Files are created with default permissions and without safeguards against symlink/hardlink attacks. On multi-user systems this enables local attackers to read captured transcripts or overwrite arbitrary files if the listener is run with higher privileges and a malicious symlink is placed in /tmp. low new 2026-03-13T21:19:42.804366Z 2026-03-03 18:02:13 +0530 rohit@spext.co false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 21f7730bb5322b44eff60138ee20be25733f317e skills/videodb/scripts/ws_listener.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 skills/videodb/scripts/ws_listener.py still present but low practical risk A local helper defaulted to predictable shared temporary-file paths. robustness ws_listener writes sensitive events to predictable /tmp files On origin/main, ws_listener defaulted to /tmp for event, pid, and websocket-id files, which is a same-host local confidentiality risk rather than a remote exploit. Default to a user-owned state directory instead of shared /tmp when no explicit output dir is provided. node tools/scripts/tests/local_temp_safety.test.js codex/security-robustness
17 https://chatgpt.com/codex/security/findings/774d10a364bc8191a4545e42cb6d75c9 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Symlink traversal lets /skills/ serve arbitrary local files The commit adds a custom Vite middleware that serves files from the repo's skills directory. It only checks path traversal with path.resolve() and then uses fs.statSync/createReadStream on the original path. Because path.resolve() does not resolve symlinks and fs.statSync follows them, a symlink placed under skills (e.g., via a malicious skill sync or PR) can point to any file on the host. Requests like /skills/<symlink> will then leak those files. This is a local file disclosure risk if the dev server is reachable on a shared network or within a container. low new 2026-03-13T21:26:48.457589Z 2026-03-03 09:27:19 +0100 zinzied@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 7399b2973c3dee050c56e09325a30aba92278df6 web-app/refresh-skills-plugin.js 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 apps/web-app/refresh-skills-plugin.js still present but low practical risk The Vite dev plugin served requested files based on lexical path checks instead of safe realpath containment. filesystem-trust-boundary Symlink traversal lets /skills/ serve arbitrary local files On origin/main, refresh-skills-plugin.js used path.resolve(filePath).startsWith(...) and fs.statSync(filePath), so a symlink inside skills/ could still read a target outside the intended tree in local dev. Resolve real paths and only serve files whose resolved path remains inside the skills root. node tools/scripts/tests/symlink_safety.test.js codex/security-filesystem-trust-boundary
18 https://chatgpt.com/codex/security/findings/22e68f79d7f08191b5a2ae8de5c74a99 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Sync Skills endpoint follows symlinks from downloaded archive The commit adds a Vite dev-server middleware at /api/refresh-skills that downloads a GitHub ZIP, extracts it, and copies the extracted skills into the repo and web-app/public. The copy routine does not guard against symlinks or validate extracted content. If a malicious archive (e.g., compromised upstream repo or redirected download) includes a symlink under skills pointing outside the repo, copyFolderSync will follow it and copy arbitrary local files into web-app/public, potentially exposing sensitive data via the dev server. The endpoint is unauthenticated and invoked via a GET request from the UI, making it possible for a CSRF-style trigger if the dev server is exposed. low new 2026-03-13T21:21:24.441152Z 2026-03-02 09:56:15 +0100 zinzied@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 b42ab600ec7fad506e90e5f15a612df6b7122400 web-app/refresh-skills-plugin.js | web-app/src/pages/Home.jsx 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 apps/web-app/refresh-skills-plugin.js duplicate of another finding The Vite dev plugin served requested files based on lexical path checks instead of safe realpath containment. filesystem-trust-boundary Symlink traversal lets /skills/ serve arbitrary local files On origin/main, the stale Home.jsx path no longer exists, but the live issue is the same plugin root cause as finding 16: once symlinked content lands under skills/, the dev server trusts it by lexical path only. Fix once in refresh-skills-plugin.js by resolving and constraining real paths. node tools/scripts/tests/symlink_safety.test.js codex/security-filesystem-trust-boundary
19 https://chatgpt.com/codex/security/findings/188240e65ef8819190a3f34657172d78 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Validation crash if YAML frontmatter is not a mapping After switching to yaml.safe_load, parse_frontmatter can return a list or scalar when the frontmatter is not a YAML mapping. validate_skills() only checks for falsy metadata and then immediately indexes metadata["name"], metadata["description"], etc. If a malformed SKILL.md uses a sequence/scalar that contains strings like "description", the membership check passes and the subsequent dict-style access raises a TypeError, crashing the validation script. A malicious contributor could add such a frontmatter to break CI validation (tooling DoS). low new 2026-03-13T21:28:56.999912Z 2026-03-01 09:38:25 +0100 72440556+itsmeares@users.noreply.github.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 4a5f1234bb5edc54a85dbd136b9feeb43fad8e95 scripts/validate_skills.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/validate_skills.py still present but low practical risk Frontmatter parsers assumed YAML always decoded to a mapping/object. robustness Validation crash if YAML frontmatter is not a mapping On origin/main, validate_skills.parse_frontmatter returned yaml.safe_load output directly; scalar YAML values were not rejected before downstream key access. Reject non-mapping frontmatter early and return a validation error instead of passing scalar values downstream. python3 tools/scripts/tests/test_frontmatter_parsing_security.py codex/security-robustness
20 https://chatgpt.com/codex/security/findings/57c4c40bcaa48191964fd242c8c7c213 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Anonymous Supabase writes allow skill star tampering The new Supabase integration creates a public client in the browser and writes directly to the skill_stars table from the UI. The only anti-abuse control is a localStorage flag, which is trivially bypassed (clear storage or script direct API calls with the publishable key). If the table is configured to allow anonymous inserts/updates—as required for this feature—any network user can inflate star counts or spam rows, impacting data integrity and potentially costs. low new 2026-03-13T21:28:30.655363Z 2026-02-25 17:56:20 +0100 zinzied@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 68266007b9e3bd3fe4eccffd994a7d479eb03fdc web-app/src/lib/supabase.js | web-app/src/pages/Home.jsx 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 apps/web-app/src/lib/supabase.ts | apps/web-app/src/hooks/useSkillStars.ts | apps/web-app/src/context/SkillContext.tsx still present and exploitable Browser code performed direct shared star writes with a public anon client and no repo-local server-side mediation. auth-integrity Anonymous Supabase writes allow skill star tampering Inference from source: on origin/main, useSkillStars performed a direct upsert to skill_stars from frontend code using the public anon client. The repo contains no server-side gate or versioned policy proving that writes are constrained. Disable shared frontend writes by default and keep only local starring unless an explicit deployment-time opt-in is provided. cd apps/web-app && npm test -- --run src/hooks/__tests__/useSkillStarsSecurity.test.ts codex/security-auth-integrity
21 https://chatgpt.com/codex/security/findings/9e069e8cc0048191a5703a5ba70ca6ff sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Metadata fixer overwrites symlinked SKILL.md targets The newly added maintenance script walks the skills tree and opens any SKILL.md for writing. It does not check whether SKILL.md is a symlink or whether the resolved path stays within the repo. If an attacker contributes a skill directory where SKILL.md is a symlink to an arbitrary file (e.g., in CI or a maintainer’s workstation), running this script will overwrite that target with rewritten frontmatter. This is a classic symlink traversal/arbitrary file overwrite risk in build tooling. low new 2026-03-13T21:42:42.429276Z 2026-02-20 19:39:15 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 e36d6fd3b3f6c37967efd3ae60a5a25460d1f824 scripts/fix_skills_metadata.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/fix_skills_metadata.py still present but low practical risk Maintenance scripts rewrote symlinked SKILL.md targets without path safety checks. filesystem-trust-boundary Metadata fixer overwrites symlinked SKILL.md targets On origin/main, fix_skills_metadata.py opened and rewrote every discovered SKILL.md without skipping symlinked files, so a crafted symlink could modify another file. Skip symlinked SKILL.md files and only mutate real local skill files with mapping frontmatter. python3 tools/scripts/tests/test_fix_skills_metadata_security.py codex/security-filesystem-trust-boundary
22 https://chatgpt.com/codex/security/findings/e29b51f4ce848191a63ce491cf03f29f sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Installer now dereferences symlinks during copy This commit changes installs to always clone into a temporary directory and then copy the repo’s skills/ and docs/ into the target using copyRecursiveSync. copyRecursiveSync uses fs.statSync (not lstat) and recursively walks directories, which dereferences symlinks. If a compromised or malicious repo contains a symlink inside skills/ or docs/ pointing to a sensitive local path (e.g., ~/.ssh or /etc), the installer will read and copy those files into the skills directory. Previously, fresh installs used git clone directly, which preserves symlinks rather than copying their targets. This expands the attack surface to all installs and can lead to unintended disclosure or propagation of local files when skills are later used or shared. low new 2026-03-13T21:43:58.492792Z 2026-02-19 08:52:55 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 36ebea20bac8a13c1974accdc5df019b77b8c889 bin/install.js 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/bin/install.js still present and exploitable Installer copy logic dereferenced symlinks without constraining the resolved path to the cloned repo. filesystem-trust-boundary Installer now dereferences symlinks during copy On origin/main, copyRecursiveSync used fs.statSync on cloned content, so a malicious symlink in the repo could copy arbitrary local files into the install target. Use lstat, resolve symlinks only when they stay inside the cloned repo root, and skip/ignore out-of-root links. node tools/scripts/tests/copy_security.test.js codex/security-filesystem-trust-boundary
23 https://chatgpt.com/codex/security/findings/3d330bc804b881918c5aee016173d23a sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Installer merge path dereferences symlinks when copying When the target directory already exists and is not a git repo, the installer now clones the repo into a temp directory and copies it into the target. The new copyRecursiveSync function uses fs.statSync (not lstat) and fs.copyFileSync, which dereference symlinks. If a compromised or malicious repo includes a symlink that points outside the repo (e.g., /etc/passwd or /), the installer will read and copy that external file or directory into the target directory. This introduces a supply-chain style local file disclosure/DoS risk that did not exist when the script previously aborted on non-git directories. low new 2026-03-13T21:43:54.333304Z 2026-02-18 18:35:55 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 ac202f006274c93eb6d169cbac9e8e41ee9803ab bin/install.js 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/bin/install.js duplicate of another finding Installer copy logic dereferenced symlinks without constraining the resolved path to the cloned repo. filesystem-trust-boundary Installer now dereferences symlinks during copy Same origin/main behavior as finding 21: install.js dereferenced symlinks during install/merge copy. Fix once in install.js by constraining or skipping symlink resolution. node tools/scripts/tests/copy_security.test.js codex/security-filesystem-trust-boundary
24 https://chatgpt.com/codex/security/findings/9750c7b5f2648191b70db89c0744cb34 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Cleanup sync deletes arbitrary paths via flat_name The new cleanup_previous_sync routine loads docs/microsoft-skills-attribution.json and iterates each skill's flat_name to build a deletion path. Because flat_name is not validated or constrained to a safe filename, a crafted entry containing path traversal (e.g., "../../etc") resolves outside TARGET_DIR. When the maintainer runs the sync script, shutil.rmtree will delete directories outside the repo, leading to destructive filesystem writes. A malicious PR or compromised attribution file could exploit this. low new 2026-03-13T21:50:10.785722Z 2026-02-12 00:38:24 +0500 ar27111994@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 35556e030676fa458d7ec7c7c23d741da37a7c44 scripts/sync_microsoft_skills.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/sync_microsoft_skills.py duplicate of another finding Microsoft sync trusted frontmatter-derived flat names for filesystem writes and cleanup deletes. filesystem-trust-boundary Unsanitized frontmatter name enables path traversal in sync script Same origin/main root cause as finding 1: cleanup_previous_sync used flat_name from attribution without constraining it to skills/. Fix once in sync_microsoft_skills.py by sanitizing flat names before delete/copy operations. python3 tools/scripts/tests/test_sync_microsoft_skills_security.py codex/security-filesystem-trust-boundary
25 https://chatgpt.com/codex/security/findings/85cc2dab67f08191a8acfc493fa68e9f sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Audio transcription example allows Python code injection The newly added skills/audio-transcriber/examples/basic-transcription.sh uses an unquoted heredoc (python3 << EOF) and directly embeds shell variables like $AUDIO_FILE and $MODEL inside Python string literals. Because the heredoc is unquoted, any quotes or Python syntax contained in a malicious filename (or MODEL environment value) are injected into the Python script at runtime. If a user runs the script on an attacker-supplied audio file with a crafted name, the injected code can execute with the user's privileges. low new 2026-03-13T21:58:03.406739Z 2026-02-04 17:37:45 -0300 eric.andrade@avanade.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 801c8fa47555ac331b83ba3040c71ed075dea8c7 skills/audio-transcriber/examples/basic-transcription.sh 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 skills/audio-transcriber/examples/basic-transcription.sh still present but low practical risk Example shell script interpolated untrusted shell variables directly into embedded Python code. shell-safety Audio transcription example allows Python code injection On origin/main, basic-transcription.sh used an unquoted heredoc and embedded $AUDIO_FILE/$MODEL/$TRANSCRIBER directly into Python source, so crafted input could break quoting and inject code in a local example script. Use quoted heredocs and pass values through environment variables instead of interpolating them into Python source. node tools/scripts/tests/docs_security_content.test.js codex/security-shell-safety
26 https://chatgpt.com/codex/security/findings/6d47effff9a88191a329efd81b65fe5e sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Unbounded recursive skill traversal can crash catalog build The newly added listSkillIdsRecursive function walks every subdirectory under skills with unbounded recursion and no cycle/depth checks. A malicious or accidental deeply nested directory tree (or a symlink loop on filesystems that report symlinks as directories) can exhaust the Node.js call stack and crash catalog generation, breaking CI/builds. low new 2026-03-13T22:04:01.470812Z 2026-02-02 22:04:20 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 263c5076842e38bcde7a5f353ae3ec089c6f0cfb lib/skill-utils.js | scripts/build-catalog.js 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/lib/skill-utils.js | tools/scripts/build-catalog.js obsolete/not reproducible on current HEAD Historical concern about recursive traversal following symlink loops. On origin/main, listSkillIdsRecursive walks Dirent directories from readdirSync({withFileTypes:true}); symlink entries are not treated as directories, so the reported unbounded symlink recursion does not reproduce. n/a n/a
27 https://chatgpt.com/codex/security/findings/b4a2caf37cf88191af9bd61ff52b082b sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Release scripts still use root skills_index.json path The commit relocated skills_index.json into the data/ directory, but the release and README update scripts still read/write the index from the repository root. Running the release cycle now attempts to open skills_index.json at the old location and will fail or regenerate a new file in the wrong place, leaving the canonical data/skills_index.json stale. This is a regression caused by the file move. low new 2026-03-13T22:17:55.097915Z 2026-01-28 17:38:45 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 76e0dffad7a40edda8093fa76b8d8af32bec19b5 scripts/update_readme.py | scripts/generate_index.py | scripts/release_cycle.sh 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/update_readme.py | tools/scripts/generate_index.py | tools/scripts/release_cycle.sh obsolete/not reproducible on current HEAD Historical path expectation mismatch for generated index output. On origin/main, root skills_index.json is the canonical generated index and release_cycle.sh is only a wrapper around release_workflow.js, so the reported path mismatch no longer reproduces as a defect. n/a n/a
28 https://chatgpt.com/codex/security/findings/9d9af398dcc88191be1f6f927f559775 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Symlink traversal in skill normalization allows file overwrite The commit introduces listSkillIds in lib/skill-utils.js, which uses fs.statSync and therefore follows symlinks when enumerating skill folders. scripts/normalize-frontmatter.js then derives a SKILL.md path from each entry and rewrites it with fs.writeFileSync. If an attacker adds a symlinked skill directory (e.g., skills/evil -> /etc), running normalize-frontmatter will follow the symlink and overwrite /etc/SKILL.md or any target file named SKILL.md, allowing arbitrary file modification on the maintainer/CI host. Use lstatSync to reject symlinks or resolve real paths and enforce they stay within the skills directory before reading/writing. low new 2026-03-13T22:15:38.637449Z 2026-01-28 17:15:26 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 0ffee448285d6830e442b769f9002f7a9dba91b0 lib/skill-utils.js | scripts/normalize-frontmatter.js 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/lib/skill-utils.js | tools/scripts/normalize-frontmatter.js still present but low practical risk Skill discovery used stat-based directory checks that treated symlinked skill dirs/files as local mutable content. filesystem-trust-boundary Symlink traversal in skill normalization allows file overwrite On origin/main, listSkillIds used fs.statSync and fs.existsSync on child skill dirs, so normalize-frontmatter could treat symlinked skill folders as writable local skills. Use lstat-based discovery and skip symlinked skill dirs / SKILL.md entries before normalization. node tools/scripts/tests/skill_utils_security.test.js codex/security-filesystem-trust-boundary
29 https://chatgpt.com/codex/security/findings/1a06ce21006c8191a1f482569642fa7e sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills last30days skill passes user input directly to Bash command The skill instructs the agent to execute `python3 ... "$ARGUMENTS"` via the Bash tool. Because `$ARGUMENTS` is derived from the user’s topic and is only wrapped in double quotes, shell command substitution (e.g., `$(...)` or backticks) will still be evaluated. An attacker who can influence the topic (direct user input or prompt injection) can execute arbitrary shell commands in the Claude Code environment. low new 2026-03-13T22:21:45.958278Z 2026-01-26 19:05:37 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 c7f7f23bd7ecce8a78ebb19cab04fc1569d5e01b skills/last30days/SKILL.md 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 skills/last30days/SKILL.md obsolete/not reproducible on current HEAD Historical concern about unquoted shell interpolation in skill instructions. On origin/main, the documented command passes "$ARGUMENTS" as a quoted argument to Python, so the reported direct Bash injection sink does not reproduce from the current text. n/a n/a
30 https://chatgpt.com/codex/security/findings/e3a91005557c8191978bb32695394919 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Unvalidated YAML frontmatter can crash index generation The commit switches frontmatter parsing to yaml.safe_load but then assumes the result is a dict of string values. PyYAML can return non-mapping types (e.g., a scalar or list) or non-string values (timestamps, binaries). If a malicious SKILL.md uses such YAML, the merge step can raise TypeError (e.g., metadata is a string/list) or json.dump can fail on non-JSON-serializable objects. Because generate_index.py runs in CI on untrusted skill content, this is a build-time availability issue that can be exploited to crash or block the pipeline. low new 2026-03-13T22:23:04.494598Z 2026-01-26 08:30:16 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 9891cb28edfd8405bf3f865c01b8f04ca9e8f9d7 scripts/generate_index.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/generate_index.py duplicate of another finding Frontmatter parsers assumed YAML always decoded to a mapping/object. robustness Validation crash if YAML frontmatter is not a mapping Same origin/main root cause as finding 18, but in generate_index.py instead of validate_skills.py: scalar YAML values were passed through without a mapping check. Fix once by rejecting non-mapping frontmatter in both parser paths. python3 tools/scripts/tests/test_frontmatter_parsing_security.py codex/security-robustness
31 https://chatgpt.com/codex/security/findings/f21c1074a2148191bb8bcb18b171c39b sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Predictable /tmp counter file enables local file clobbering The newly added suggest-compact hook script uses a predictable filename in /tmp ("/tmp/claude-tool-count-$$") and writes to it with shell redirection. In a multi-user environment, another local user can pre-create a symlink at that path pointing to a victim-owned file. When the victim runs the hook, the script will follow the symlink and truncate/overwrite the target file. This is a classic insecure temporary file issue; use mktemp or a per-user directory with safe file creation to avoid symlink clobbering. low new 2026-03-13T22:30:51.612037Z 2026-01-21 17:49:56 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 a9ff10d5111d2cc19f1222790ff58a3185608e01 skills/cc-skill-strategic-compact/suggest-compact.sh 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 skills/cc-skill-strategic-compact/suggest-compact.sh still present but low practical risk A local helper used a predictable shared temporary-file path. robustness Predictable /tmp counter file enables local file clobbering On origin/main, suggest-compact.sh stored state in /tmp/claude-tool-count-$$, which is predictable and shared-host local-only. Move the counter file into a user-owned state directory. node tools/scripts/tests/local_temp_safety.test.js codex/security-robustness
32 https://chatgpt.com/codex/security/findings/d82004aa844081918c6abb75d578e5fa sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Symlink traversal risk in new sync script The newly added scripts/sync_recommended_skills.sh clears the local skills library by changing into the directory and running `rm -rf` on every `*/` match. In bash, `*/` matches symlinks to directories and `rm -rf symlink/` follows the link, deleting the target directory’s contents. If a malicious or compromised skill installation can place a symlink inside the local library (or a local attacker can create one), running this script will delete files outside the intended skills directory. This is a symlink traversal / destructive delete vulnerability affecting local integrity and availability. low new 2026-03-13T22:33:00.513276Z 2026-01-18 07:52:10 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 95eeb1dd4b95033547e57a668b4725ea0c33f4dd scripts/sync_recommended_skills.sh 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/sync_recommended_skills.sh still present but low practical risk A local sync helper used recursive copy semantics that could dereference repo symlinks. filesystem-trust-boundary Symlink traversal risk in new sync script On origin/main, sync_recommended_skills.sh copied a fixed allowlist from the repo with cp -r, which is local-only but still trusts symlink handling in source content. Use cp -RP so symlinks are preserved instead of dereferenced. node tools/scripts/tests/repo_hygiene_security.test.js codex/security-filesystem-trust-boundary
33 https://chatgpt.com/codex/security/findings/3ba537afc7948191a311d56c49c1ab03 sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills skills_manager allows path traversal in enable/disable operations The newly added scripts/skills_manager.py constructs source and target paths by concatenating the user-supplied skill name to SKILLS_DIR or DISABLED_DIR without validating that the resolved paths remain within those directories. An attacker (or malicious automation input) can supply values like "../scripts" or "../../.git" to move arbitrary directories in the repo, resulting in unintended file moves or data loss. enable_skill has no guard for path traversal, and disable_skill only blocks dot-prefixed names, not "../" traversal. low new 2026-03-13T22:32:42.251933Z 2026-01-16 17:56:47 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 4ee569d5d5e89a96b6be43dd6100f6cae5299229 scripts/skills_manager.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 tools/scripts/skills_manager.py still present but low practical risk The local skills manager trusted unsanitized skill names in filesystem rename operations. filesystem-trust-boundary skills_manager allows path traversal in enable/disable operations On origin/main, enable_skill/disable_skill joined the user-supplied skill name directly under skills/.disabled and skills/, so ../ segments could escape the intended root. Resolve the requested path and reject names that escape the intended skills directory. python3 tools/scripts/tests/test_skills_manager_security.py codex/security-filesystem-trust-boundary
34 https://chatgpt.com/codex/security/findings/73bc17c96c988191be28a2da534aad7c sickn33/antigravity-awesome-skills https://github.com/sickn33/antigravity-awesome-skills Zip Slip risk in Office unpack scripts The Office file unpack helpers for both docx and pptx use zipfile.ZipFile(...).extractall(output_path) directly on the provided Office file. If a malicious Office document contains entries with ../ or absolute paths, extractall will write outside the intended output directory (Zip Slip), enabling arbitrary file overwrite on the machine running the script. Because these scripts are meant to run on potentially untrusted documents, the lack of path validation is a security issue. low new 2026-03-13T22:35:07.638286Z 2026-01-14 18:48:08 +0100 samujackson1337@gmail.com false user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800 7f46ed8ca119949ad3b406bc85e727db84ee6ece skills/docx/ooxml/scripts/unpack.py | skills/pptx/ooxml/scripts/unpack.py 226f10c2a62fc182b4e93458bddea2e60f9b0cb9 skills/docx-official/ooxml/scripts/unpack.py | skills/pptx-official/ooxml/scripts/unpack.py still present and exploitable Office unpack helpers extracted ZIP members without validating that archive entries stayed inside the output directory. filesystem-trust-boundary Zip Slip risk in Office unpack scripts On origin/main, both unpack.py scripts called ZipFile.extractall(output_path) directly, so a malicious Office archive could write outside the requested directory. Validate each archive member path before extraction and reject path-traversal entries. python3 tools/scripts/tests/test_office_unpack_security.py codex/security-filesystem-trust-boundary

58
docs/maintainers/security-findings-triage-2026-03-15.md Normal file
View File

@@ -0,0 +1,58 @@
# Security Findings Triage (2026-03-15)
- Baseline: `origin/main@226f10c2a62fc182b4e93458bddea2e60f9b0cb9`
- Input CSV was treated as triage input only, not as ground truth.
- Status meanings: `still present and exploitable`, `still present but low practical risk`, `obsolete/not reproducible on current HEAD`, `duplicate of another finding`.
## Summary
- still present and exploitable: 6
- obsolete/not reproducible on current HEAD: 6
- still present but low practical risk: 14
- duplicate of another finding: 7
## Remediation Buckets
- `codex/security-filesystem-trust-boundary`: findings 1, 3, 7, 10, 16, 20, 21, 27, 31, 32, 33 plus duplicates 5, 6, 8, 17, 22, 23.
- `codex/security-auth-integrity`: findings 12 and 19.
- `codex/security-shell-safety`: findings 4 and 24.
- `codex/security-robustness`: findings 9, 14, 15, 18, 29, 30.
- `codex/security-runtime-exploitable`: no standalone bucket remained after default-branch verification; the actionable issues all fit the filesystem/auth/shell/robustness buckets above.
## Detailed Findings
| # | Severity | Title | Current Paths | Status | Bucket | Why It Is / Is Not Valid On `origin/main` | Minimal Safe Fix | Target PR |
|---|---|---|---|---|---|---|---|---|
| 1 | high | Unsanitized frontmatter name enables path traversal in sync script | `tools/scripts/sync_microsoft_skills.py` | still present and exploitable | filesystem-trust-boundary | On origin/main, sync_microsoft_skills.py used the parsed frontmatter name directly under TARGET_DIR and cleanup_previous_sync reused flat_name from attribution without constraining it to skills/. | Sanitize flat names to a single safe path segment and refuse cleanup/copy targets that resolve outside the cloned repo or local skills/ root. | codex/security-filesystem-trust-boundary |
| 2 | medium | Stored XSS via rehype-raw rendering of skill markdown | `apps/web-app/src/pages/SkillDetail.tsx` | obsolete/not reproducible on current HEAD | n/a | On origin/main, SkillDetail renders markdown with react-markdown + remark-gfm + rehype-highlight only; rehype-raw is no longer imported or enabled. | n/a | n/a |
| 3 | medium | Symlink-following copy leaks host files in setup_web | `tools/scripts/setup_web.js` | still present and exploitable | filesystem-trust-boundary | On origin/main, setup_web.js used fs.statSync and recursive copy on skills/, so a symlink inside skills could resolve to an arbitrary host file or directory and be copied into public assets. | Resolve symlinks only when their real path stays inside skills/; otherwise skip them and keep copying regular entries. | codex/security-filesystem-trust-boundary |
| 4 | medium | Insecure install guidance allows remote script execution | `skills/apify-actorization/SKILL.md` | still present but low practical risk | shell-safety | On origin/main, the Apify actorization skill still recommended curl/irm pipe-to-shell installation and apify login -t, which is documentation-only but directly instructs unsafe execution and credential handling. | Replace pipe-to-shell commands with package-manager guidance and remove command-line token examples. | codex/security-shell-safety |
| 5 | medium | setup_web.js now follows symlinks, enabling file exfiltration | `tools/scripts/setup_web.js` | duplicate of another finding | filesystem-trust-boundary | Same origin/main behavior as finding 3: fs.statSync-based recursive copy in setup_web.js followed symlink targets during public asset setup. | Fix once in setup_web.js by constraining symlink resolution to the skills root. | codex/security-filesystem-trust-boundary |
| 6 | medium | Symlink traversal in web asset setup copies arbitrary files | `tools/scripts/setup_web.js` | duplicate of another finding | filesystem-trust-boundary | Same origin/main behavior as finding 3: the setup_web recursive copy followed symlink targets and copied their resolved content. | Fix once in setup_web.js by constraining symlink resolution to the skills root. | codex/security-filesystem-trust-boundary |
| 7 | medium | Symlink file copying in .github/skills sync leaks host files | `tools/scripts/sync_microsoft_skills.py` | still present and exploitable | filesystem-trust-boundary | On origin/main, find_skills_in_directory accepted symlinked skill dirs by item.resolve() and copy loops accepted regular files from resolved dirs without checking they remained under the clone root. | Reject symlink targets outside the clone root and copy only regular files whose resolved path stays under the clone root. | codex/security-filesystem-trust-boundary |
| 8 | medium | Symlinked file copy in Microsoft skill sync can leak host data | `tools/scripts/sync_microsoft_skills.py` | duplicate of another finding | filesystem-trust-boundary | Same origin/main behavior as finding 7: the Microsoft sync path trusted resolved symlink targets and copied files from them. | Fix once in sync_microsoft_skills.py by constraining resolved paths to the clone root. | codex/security-filesystem-trust-boundary |
| 9 | medium | Committed Python bytecode can hide malicious logic | `skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc` | still present but low practical risk | robustness | On origin/main, tracked __pycache__ artifacts were still present under skills/ui-ux-pro-max/scripts, which is review-hostile but not independently exploitable. | Remove tracked bytecode artifacts and rely on source-only review plus .gitignore. | codex/security-robustness |
| 10 | medium | Symlinked SKILL.md can leak host files via index script | `tools/scripts/generate_index.py` | still present but low practical risk | filesystem-trust-boundary | On origin/main, generate_index.py opened every SKILL.md it found via os.walk and did not skip symlinked SKILL.md files, so a malicious local symlink could exfiltrate another file into index metadata generation. | Skip symlinked SKILL.md files during indexing. | codex/security-filesystem-trust-boundary |
| 11 | low | Example loader trusts manifest paths, enabling file read | `docs/integrations/jetski-gemini-loader/loader.ts` | obsolete/not reproducible on current HEAD | n/a | On origin/main, the loader example resolves the requested file and rejects any path whose path.relative escapes the configured skills root, so the reported direct file read no longer reproduces. | n/a | n/a |
| 12 | low | TLS certificate verification disabled in new scrapers | `skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py` | still present but low practical risk | auth-integrity | On origin/main, both the base scraper and the direct fallback client instantiated HTTP clients with verify=False / ignore_https_errors=True, which weakens transport integrity but is a local-run scraper risk rather than an application RCE. | Enable TLS verification by default and require an explicit environment opt-out for insecure targets. | codex/security-auth-integrity |
| 13 | low | Complete bundle omits valid skill categories | `tools/lib/skill-filter.js | tools/scripts/build-catalog.js | data/bundles.json` | obsolete/not reproducible on current HEAD | n/a | On origin/main, shipped bundle data is generated by tools/scripts/build-catalog.js into data/bundles.json; the reported omission in tools/lib/skill-filter.js does not drive current shipped catalog data. | n/a | n/a |
| 14 | low | Malformed frontmatter delimiter breaks YAML parsing for skills | `skills/alpha-vantage/SKILL.md | tools/lib/skill-utils.js` | still present but low practical risk | robustness | On origin/main, skills/alpha-vantage/SKILL.md still contained an extra delimiter token (--- Unknown), which caused parser warnings and broken metadata interpretation. | Repair the malformed frontmatter so the file is a valid YAML frontmatter document. | codex/security-robustness |
| 15 | low | ws_listener writes sensitive events to predictable /tmp files | `skills/videodb/scripts/ws_listener.py` | still present but low practical risk | robustness | On origin/main, ws_listener defaulted to /tmp for event, pid, and websocket-id files, which is a same-host local confidentiality risk rather than a remote exploit. | Default to a user-owned state directory instead of shared /tmp when no explicit output dir is provided. | codex/security-robustness |
| 16 | low | Symlink traversal lets /skills/ serve arbitrary local files | `apps/web-app/refresh-skills-plugin.js` | still present but low practical risk | filesystem-trust-boundary | On origin/main, refresh-skills-plugin.js used path.resolve(filePath).startsWith(...) and fs.statSync(filePath), so a symlink inside skills/ could still read a target outside the intended tree in local dev. | Resolve real paths and only serve files whose resolved path remains inside the skills root. | codex/security-filesystem-trust-boundary |
| 17 | low | Sync Skills endpoint follows symlinks from downloaded archive | `apps/web-app/refresh-skills-plugin.js` | duplicate of another finding | filesystem-trust-boundary | On origin/main, the stale Home.jsx path no longer exists, but the live issue is the same plugin root cause as finding 16: once symlinked content lands under skills/, the dev server trusts it by lexical path only. | Fix once in refresh-skills-plugin.js by resolving and constraining real paths. | codex/security-filesystem-trust-boundary |
| 18 | low | Validation crash if YAML frontmatter is not a mapping | `tools/scripts/validate_skills.py` | still present but low practical risk | robustness | On origin/main, validate_skills.parse_frontmatter returned yaml.safe_load output directly; scalar YAML values were not rejected before downstream key access. | Reject non-mapping frontmatter early and return a validation error instead of passing scalar values downstream. | codex/security-robustness |
| 19 | low | Anonymous Supabase writes allow skill star tampering | `apps/web-app/src/lib/supabase.ts | apps/web-app/src/hooks/useSkillStars.ts | apps/web-app/src/context/SkillContext.tsx` | still present and exploitable | auth-integrity | Inference from source: on origin/main, useSkillStars performed a direct upsert to skill_stars from frontend code using the public anon client. The repo contains no server-side gate or versioned policy proving that writes are constrained. | Disable shared frontend writes by default and keep only local starring unless an explicit deployment-time opt-in is provided. | codex/security-auth-integrity |
| 20 | low | Metadata fixer overwrites symlinked SKILL.md targets | `tools/scripts/fix_skills_metadata.py` | still present but low practical risk | filesystem-trust-boundary | On origin/main, fix_skills_metadata.py opened and rewrote every discovered SKILL.md without skipping symlinked files, so a crafted symlink could modify another file. | Skip symlinked SKILL.md files and only mutate real local skill files with mapping frontmatter. | codex/security-filesystem-trust-boundary |
| 21 | low | Installer now dereferences symlinks during copy | `tools/bin/install.js` | still present and exploitable | filesystem-trust-boundary | On origin/main, copyRecursiveSync used fs.statSync on cloned content, so a malicious symlink in the repo could copy arbitrary local files into the install target. | Use lstat, resolve symlinks only when they stay inside the cloned repo root, and skip/ignore out-of-root links. | codex/security-filesystem-trust-boundary |
| 22 | low | Installer merge path dereferences symlinks when copying | `tools/bin/install.js` | duplicate of another finding | filesystem-trust-boundary | Same origin/main behavior as finding 21: install.js dereferenced symlinks during install/merge copy. | Fix once in install.js by constraining or skipping symlink resolution. | codex/security-filesystem-trust-boundary |
| 23 | low | Cleanup sync deletes arbitrary paths via flat_name | `tools/scripts/sync_microsoft_skills.py` | duplicate of another finding | filesystem-trust-boundary | Same origin/main root cause as finding 1: cleanup_previous_sync used flat_name from attribution without constraining it to skills/. | Fix once in sync_microsoft_skills.py by sanitizing flat names before delete/copy operations. | codex/security-filesystem-trust-boundary |
| 24 | low | Audio transcription example allows Python code injection | `skills/audio-transcriber/examples/basic-transcription.sh` | still present but low practical risk | shell-safety | On origin/main, basic-transcription.sh used an unquoted heredoc and embedded $AUDIO_FILE/$MODEL/$TRANSCRIBER directly into Python source, so crafted input could break quoting and inject code in a local example script. | Use quoted heredocs and pass values through environment variables instead of interpolating them into Python source. | codex/security-shell-safety |
| 25 | low | Unbounded recursive skill traversal can crash catalog build | `tools/lib/skill-utils.js | tools/scripts/build-catalog.js` | obsolete/not reproducible on current HEAD | n/a | On origin/main, listSkillIdsRecursive walks Dirent directories from readdirSync({withFileTypes:true}); symlink entries are not treated as directories, so the reported unbounded symlink recursion does not reproduce. | n/a | n/a |
| 26 | low | Release scripts still use root skills_index.json path | `tools/scripts/update_readme.py | tools/scripts/generate_index.py | tools/scripts/release_cycle.sh` | obsolete/not reproducible on current HEAD | n/a | On origin/main, root skills_index.json is the canonical generated index and release_cycle.sh is only a wrapper around release_workflow.js, so the reported path mismatch no longer reproduces as a defect. | n/a | n/a |
| 27 | low | Symlink traversal in skill normalization allows file overwrite | `tools/lib/skill-utils.js | tools/scripts/normalize-frontmatter.js` | still present but low practical risk | filesystem-trust-boundary | On origin/main, listSkillIds used fs.statSync and fs.existsSync on child skill dirs, so normalize-frontmatter could treat symlinked skill folders as writable local skills. | Use lstat-based discovery and skip symlinked skill dirs / SKILL.md entries before normalization. | codex/security-filesystem-trust-boundary |
| 28 | low | last30days skill passes user input directly to Bash command | `skills/last30days/SKILL.md` | obsolete/not reproducible on current HEAD | n/a | On origin/main, the documented command passes "$ARGUMENTS" as a quoted argument to Python, so the reported direct Bash injection sink does not reproduce from the current text. | n/a | n/a |
| 29 | low | Unvalidated YAML frontmatter can crash index generation | `tools/scripts/generate_index.py` | duplicate of another finding | robustness | Same origin/main root cause as finding 18, but in generate_index.py instead of validate_skills.py: scalar YAML values were passed through without a mapping check. | Fix once by rejecting non-mapping frontmatter in both parser paths. | codex/security-robustness |
| 30 | low | Predictable /tmp counter file enables local file clobbering | `skills/cc-skill-strategic-compact/suggest-compact.sh` | still present but low practical risk | robustness | On origin/main, suggest-compact.sh stored state in /tmp/claude-tool-count-$$, which is predictable and shared-host local-only. | Move the counter file into a user-owned state directory. | codex/security-robustness |
| 31 | low | Symlink traversal risk in new sync script | `tools/scripts/sync_recommended_skills.sh` | still present but low practical risk | filesystem-trust-boundary | On origin/main, sync_recommended_skills.sh copied a fixed allowlist from the repo with cp -r, which is local-only but still trusts symlink handling in source content. | Use cp -RP so symlinks are preserved instead of dereferenced. | codex/security-filesystem-trust-boundary |
| 32 | low | skills_manager allows path traversal in enable/disable operations | `tools/scripts/skills_manager.py` | still present but low practical risk | filesystem-trust-boundary | On origin/main, enable_skill/disable_skill joined the user-supplied skill name directly under skills/.disabled and skills/, so ../ segments could escape the intended root. | Resolve the requested path and reject names that escape the intended skills directory. | codex/security-filesystem-trust-boundary |
| 33 | low | Zip Slip risk in Office unpack scripts | `skills/docx-official/ooxml/scripts/unpack.py | skills/pptx-official/ooxml/scripts/unpack.py` | still present and exploitable | filesystem-trust-boundary | On origin/main, both unpack.py scripts called ZipFile.extractall(output_path) directly, so a malicious Office archive could write outside the requested directory. | Validate each archive member path before extraction and reject path-traversal entries. | codex/security-filesystem-trust-boundary |