From 662d2b25edb2df5b809a28bcdbaa7bf858b70792 Mon Sep 17 00:00:00 2001 From: sck_0 Date: Sun, 15 Mar 2026 08:48:58 +0100 Subject: [PATCH] docs: add security findings triage for 2026-03-15 --- .../security-findings-triage-2026-03-15.csv | 34 +++++++++++ .../security-findings-triage-2026-03-15.md | 58 +++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 docs/maintainers/security-findings-triage-2026-03-15.csv create mode 100644 docs/maintainers/security-findings-triage-2026-03-15.md diff --git a/docs/maintainers/security-findings-triage-2026-03-15.csv b/docs/maintainers/security-findings-triage-2026-03-15.csv new file mode 100644 index 00000000..ddcc036e --- /dev/null +++ b/docs/maintainers/security-findings-triage-2026-03-15.csv @@ -0,0 +1,34 @@ +finding_url,repository,repository_url,title,description,severity,status,detected_at,committed_at,author_email,assignee_name,assignee_email,has_patch,configured_scan_id,commit_hash,relevant_paths,resolution_reason,current_head_sha,current_paths,triage_status,root_cause,priority_bucket,canonical_finding,validation_reason,minimal_fix,test_plan,target_pr +https://chatgpt.com/codex/security/findings/9206906222ec81919b079cbff33f24cb,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Unsanitized frontmatter name enables path traversal in sync script,"sync_microsoft_skills.py v4 extracts the frontmatter `name` field from each SKILL.md and directly concatenates it with the target directory path. Because the value is not validated or sanitized, a malicious upstream SKILL.md could set `name: ../../../../.ssh` or an absolute path, causing the sync process to create directories and copy files outside the intended skills/ directory. This enables arbitrary file write/overwrite on the machine running the sync script (CI or maintainer workstation), which is a supply-chain risk if the upstream repo is compromised or a malicious contribution is synced.",high,new,2026-03-13T21:49:23.266050Z,2026-02-12 00:17:38 +0500,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,e7ae616385680e37e8b1a9a0327cd97796ac2778,scripts/sync_microsoft_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_microsoft_skills.py,still present and exploitable,Microsoft sync trusted frontmatter-derived flat names for filesystem writes and cleanup deletes.,filesystem-trust-boundary,Unsanitized frontmatter name enables path traversal in sync script,"On origin/main, sync_microsoft_skills.py used the parsed frontmatter name directly under TARGET_DIR and cleanup_previous_sync reused flat_name from attribution without constraining it to skills/.",Sanitize flat names to a single safe path segment and refuse cleanup/copy targets that resolve outside the cloned repo or local skills/ root.,python3 tools/scripts/tests/test_sync_microsoft_skills_security.py,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/36213642db54819183a4a3c2ed6a7baf,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Stored XSS via rehype-raw rendering of skill markdown,"The SkillDetail page now enables `rehype-raw` while rendering SKILL.md content. Skill markdown is sourced from the repo (and external syncs) and is effectively untrusted. With `rehype-raw`, any HTML inside SKILL.md is parsed into the DOM, allowing attackers to inject scripts or event handlers, resulting in stored XSS for visitors. There is no sanitization (e.g., `rehype-sanitize`) to mitigate this.",medium,new,2026-03-13T21:02:26.554268Z,2026-03-07 10:08:21 +0100,86960743+shubhamdevx@users.noreply.github.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,1b167e4ca10ae51d041d2d71c6b33dbbe4055bb5,apps/web-app/src/pages/SkillDetail.tsx,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,apps/web-app/src/pages/SkillDetail.tsx,obsolete/not reproducible on current HEAD,Historical rehype-raw usage in markdown rendering.,,,"On origin/main, SkillDetail renders markdown with react-markdown + remark-gfm + rehype-highlight only; rehype-raw is no longer imported or enabled.",n/a,n/a, +https://chatgpt.com/codex/security/findings/e01a4ba9a89c8191aff2edc3fa7e28ac,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink-following copy leaks host files in setup_web,"The updated copy routine in scripts/setup_web.js now uses fs.statSync, which follows symlinks, and copies targets as regular files or directories. This lets a malicious skill entry be a symlink to any file on the build host (e.g., ~/.ssh/id_rsa or CI secrets). When npm run app:setup runs, the script copies the resolved target into web-app/public/skills, potentially publishing sensitive host files in the generated assets.",medium,new,2026-03-13T21:20:07.506636Z,2026-03-02 09:29:59 +0100,zinzied@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,c8e1c0ef194ac824501ca78c0a0d6fd1d199ee6d,scripts/setup_web.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/setup_web.js,still present and exploitable,Local copy helpers dereferenced symlinks without constraining the resolved path to the intended skills root.,filesystem-trust-boundary,Symlink-following copy leaks host files in setup_web,"On origin/main, setup_web.js used fs.statSync and recursive copy on skills/, so a symlink inside skills could resolve to an arbitrary host file or directory and be copied into public assets.",Resolve symlinks only when their real path stays inside skills/; otherwise skip them and keep copying regular entries.,node tools/scripts/tests/symlink_safety.test.js && node tools/scripts/tests/copy_security.test.js,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/5d3d78e3a5848191bc5246f22a2c21f7,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Insecure install guidance allows remote script execution,"The added Apify actorization skill includes installation and Dockerfile instructions that execute remote scripts directly via `curl ... | bash`/`sh` (and PowerShell `irm ... | iex`) without integrity checks. It also recommends logging in with `apify login -t $APIFY_TOKEN`, which places the token on the command line where it can be exposed via process listings or shell history. Because these skills are intended for AI assistants to follow automatically, these instructions materially increase the chance of remote code execution if the hosted script is compromised or intercepted and can leak credentials.",medium,new,2026-03-13T21:22:44.902021Z,2026-03-01 10:02:50 +0100,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,2f55f046b928714faa7faf16e942fa651ad406e4,skills/apify-actorization/SKILL.md | skills/apify-actorization/references/cli-actorization.md,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/apify-actorization/SKILL.md,still present but low practical risk,Skill instructions recommended pipe-to-shell installs and token-on-command-line login.,shell-safety,Insecure install guidance allows remote script execution,"On origin/main, the Apify actorization skill still recommended curl/irm pipe-to-shell installation and apify login -t, which is documentation-only but directly instructs unsafe execution and credential handling.",Replace pipe-to-shell commands with package-manager guidance and remove command-line token examples.,node tools/scripts/tests/docs_security_content.test.js,codex/security-shell-safety +https://chatgpt.com/codex/security/findings/a80995d785dc8191a0e8fbd50b86fc0c,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,"setup_web.js now follows symlinks, enabling file exfiltration","The change to copyFolderSync now uses fs.statSync (which follows symlinks) and copies the resolved file or directory contents into web-app/public/skills. If an attacker can add a symlink inside skills (e.g., via a malicious PR or external sync) pointing to /etc/passwd or other sensitive files on the build host, running app:setup will include those files in the public build output. Previously, symlinks to files would trigger ENOTDIR and halt copying, preventing silent exfiltration. This introduces a symlink traversal/infoleak risk during build or local setup.",medium,new,2026-03-13T21:26:52.050223Z,2026-02-27 08:59:16 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,1e73502c3d666e34394ef4151523168f5223de46,scripts/setup_web.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/setup_web.js,duplicate of another finding,Local copy helpers dereferenced symlinks without constraining the resolved path to the intended skills root.,filesystem-trust-boundary,Symlink-following copy leaks host files in setup_web,Same origin/main behavior as finding 3: fs.statSync-based recursive copy in setup_web.js followed symlink targets during public asset setup.,Fix once in setup_web.js by constraining symlink resolution to the skills root.,node tools/scripts/tests/symlink_safety.test.js && node tools/scripts/tests/copy_security.test.js,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/f2380f065b848191b55c1b6767222232,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink traversal in web asset setup copies arbitrary files,"scripts/setup_web.js copies the entire skills directory into web-app/public via a custom recursive copier. The code only checks isFile() and treats everything else as a directory, which means symbolic links are followed. A malicious skill can include a symlink pointing outside the repo (e.g., /etc, CI secrets, or other host files). When app:setup or START_APP.bat runs, those external files are copied into public assets and can be exposed in the built site, resulting in an information leak from the build host.",medium,new,2026-03-13T21:39:44.118360Z,2026-02-24 09:44:01 +0100,zinzied@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,a3358466806dc5a4646d8c5e26c1a550484a5b1e,scripts/setup_web.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/setup_web.js,duplicate of another finding,Local copy helpers dereferenced symlinks without constraining the resolved path to the intended skills root.,filesystem-trust-boundary,Symlink-following copy leaks host files in setup_web,Same origin/main behavior as finding 3: the setup_web recursive copy followed symlink targets and copied their resolved content.,Fix once in setup_web.js by constraining symlink resolution to the skills root.,node tools/scripts/tests/symlink_safety.test.js && node tools/scripts/tests/copy_security.test.js,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/24940dbf717081919c799c7f3e1481e6,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink file copying in .github/skills sync leaks host files,"The commit adds find_github_skills() and a new sync loop for .github/skills entries. The code treats any directory under .github/skills as a skill, then blindly copies every file in that directory using Path.is_file() + shutil.copy2(). is_file() follows symlinks, so if a malicious upstream repo adds a symlink file (e.g., secrets.txt -> /etc/shadow) inside a .github/skills// directory, the sync will read and copy that host file into this repo. This is a supply‑chain information disclosure risk when maintainers run the script.",medium,new,2026-03-13T21:51:12.396892Z,2026-02-12 15:34:42 +0500,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,44e51f0ea92646afa82ff99c6ae5edaeb64b03e4,scripts/sync_microsoft_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_microsoft_skills.py,still present and exploitable,Microsoft sync resolved symlinked skill directories and copied files without proving the resolved source stayed inside the cloned repo.,filesystem-trust-boundary,Symlink file copying in .github/skills sync leaks host files,"On origin/main, find_skills_in_directory accepted symlinked skill dirs by item.resolve() and copy loops accepted regular files from resolved dirs without checking they remained under the clone root.",Reject symlink targets outside the clone root and copy only regular files whose resolved path stays under the clone root.,python3 tools/scripts/tests/test_sync_microsoft_skills_security.py,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/ad700289b03c8191a2b256e0b9a72e24,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlinked file copy in Microsoft skill sync can leak host data,"The newly added `scripts/sync_microsoft_skills.py` copies all non-SKILL files from the cloned Microsoft repository into `skills/official/microsoft`. It uses `Path.is_file()` and `shutil.copy2()` without disabling symlink following. If an attacker can introduce a symlinked file in the upstream repo (or a compromised mirror), the script will dereference it and copy the target file contents (e.g., `/proc/self/environ`, `~/.ssh/*`) into the skills directory. When run in CI or a maintainer environment, this enables unintended disclosure of host files and secrets through the generated artifacts.",medium,new,2026-03-13T21:49:30.432277Z,2026-02-11 20:36:09 +0500,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,17bce709dedfbbdbcc836c0ca24eaa85713fca66,scripts/sync_microsoft_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_microsoft_skills.py,duplicate of another finding,Microsoft sync resolved symlinked skill directories and copied files without proving the resolved source stayed inside the cloned repo.,filesystem-trust-boundary,Symlink file copying in .github/skills sync leaks host files,Same origin/main behavior as finding 7: the Microsoft sync path trusted resolved symlink targets and copied files from them.,Fix once in sync_microsoft_skills.py by constraining resolved paths to the clone root.,python3 tools/scripts/tests/test_sync_microsoft_skills_security.py,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/7dd6119817408191b7e18678576a958a,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Committed Python bytecode can hide malicious logic,"This update introduces compiled Python bytecode files (core.cpython-314.pyc and design_system.cpython-314.pyc) into the repository. When search.py imports core or design_system, Python will prefer a valid __pycache__ bytecode file over the source module if the timestamp/hash matches the runtime interpreter. This enables a supply‑chain backdoor: malicious code could be embedded in the .pyc while the .py source remains benign, leading to arbitrary code execution when users run the skill scripts.",medium,new,2026-03-13T22:32:57.904438Z,2026-01-16 17:34:54 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,faf478f38907e0929f921bcff73557d57ea97247,skills/ui-ux-pro-max/scripts/search.py | skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc,still present but low practical risk,Compiled Python bytecode was committed alongside source.,robustness,Committed Python bytecode can hide malicious logic,"On origin/main, tracked __pycache__ artifacts were still present under skills/ui-ux-pro-max/scripts, which is review-hostile but not independently exploitable.",Remove tracked bytecode artifacts and rely on source-only review plus .gitignore.,node tools/scripts/tests/repo_hygiene_security.test.js,codex/security-robustness +https://chatgpt.com/codex/security/findings/eee41bc6b7bc819186c798ae59fa94a2,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlinked SKILL.md can leak host files via index script,"scripts/generate_index.py walks the skills tree and opens any SKILL.md it finds. Because it does not verify that SKILL.md is a regular file within the skills directory, a contributor can add a SKILL.md symlink pointing to a sensitive file on the build host (e.g., ~/.ssh/id_rsa or /proc/self/environ). When maintainers run the script, it will read that file and embed the extracted content into skills_index.json, which may later be committed or published as an artifact. This is a supply-chain info disclosure risk introduced by the new script.",medium,new,2026-03-13T22:33:24.826296Z,2026-01-14 20:49:05 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,d32f89a21169fbc77bed59b325e3df17f85d2fad,scripts/generate_index.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/generate_index.py,still present but low practical risk,Index generation read symlinked SKILL.md files without checking that the target stayed inside the repo.,filesystem-trust-boundary,Symlinked SKILL.md can leak host files via index script,"On origin/main, generate_index.py opened every SKILL.md it found via os.walk and did not skip symlinked SKILL.md files, so a malicious local symlink could exfiltrate another file into index metadata generation.",Skip symlinked SKILL.md files during indexing.,python3 tools/scripts/tests/test_frontmatter_parsing_security.py,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/c0c1181e19dc81919d5b20f2288dc348,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,"Example loader trusts manifest paths, enabling file read","The added example loader builds file paths from skills_index.json metadata and reads SKILL.md without validating that the resolved path stays within the skills root or that it is not a symlink. If a malicious contributor supplies a crafted skills_index.json entry or a symlinked SKILL.md in the skills tree, a user who runs this loader and references that skill can end up reading and sending local file contents to the model. This is an information disclosure risk in supply-chain scenarios and should be mitigated by normalizing paths, enforcing a skillsRoot prefix check, and rejecting symlinks via lstat/realpath.",low,new,2026-03-13T20:55:25.060750Z,2026-03-11 15:42:35 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,a41f1a4d613c8c0acb424abaa11b6a6f84f3f0ba,examples/jetski-gemini-loader/loader.ts,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,docs/integrations/jetski-gemini-loader/loader.ts,obsolete/not reproducible on current HEAD,Historical manifest-path trust in the Jetski loader example.,,,"On origin/main, the loader example resolves the requested file and rejects any path whose path.relative escapes the configured skills root, so the reported direct file read no longer reproduces.",n/a,n/a, +https://chatgpt.com/codex/security/findings/bafe0096db1081919bad2ba2ec243f5e,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,TLS certificate verification disabled in new scrapers,"The newly added leiloeiros scraping utilities disable TLS certificate verification for all HTTP requests and Playwright page loads. The base scraper uses httpx.AsyncClient with verify=False and Playwright contexts with ignore_https_errors=True, and the fallback scraper repeats verify=False. This allows active network attackers to intercept or tamper with scraped content, potentially poisoning downstream data or leaking any credentials used by the scraper.",low,new,2026-03-13T21:25:34.569244Z,2026-03-07 10:04:07 +0100,renatogracie@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,61ec71c5c7b9b9eaa12504452deda8da8677ba48,skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py,still present but low practical risk,HTTP scrapers disabled TLS verification by default.,auth-integrity,TLS certificate verification disabled in new scrapers,"On origin/main, both the base scraper and the direct fallback client instantiated HTTP clients with verify=False / ignore_https_errors=True, which weakens transport integrity but is a local-run scraper risk rather than an application RCE.",Enable TLS verification by default and require an explicit environment opt-out for insecure targets.,python3 tools/scripts/tests/test_junta_tls_security.py,codex/security-auth-integrity +https://chatgpt.com/codex/security/findings/e9dcff2b3f0481918fc76060bd837fb8,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Complete bundle omits valid skill categories,"The new tools/lib/skill-filter.js defines SKILL_CATEGORIES with hardcoded values (core, architecture, etc.) that are not aligned with the real categories stored in skills_index.json (e.g., ""development""). The ""complete"" bundle derives its category list from Object.keys(SKILL_CATEGORIES), so any real category not present in the hardcoded list is silently excluded. This means getSkillsByBundle('complete') will omit many skills, defeating the intent of a complete bundle and potentially confusing consumers who expect full coverage.",low,new,2026-03-13T21:04:11.988883Z,2026-03-07 10:02:18 +0100,169171880+Sayeem3051@users.noreply.github.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,5f6f94b53f9b8afa02d020775a0a172af009baaa,tools/lib/skill-filter.js | skills_index.json,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/lib/skill-filter.js | tools/scripts/build-catalog.js | data/bundles.json,obsolete/not reproducible on current HEAD,Historical bundle-category omission in a helper path no longer driving shipped bundle data.,,,"On origin/main, shipped bundle data is generated by tools/scripts/build-catalog.js into data/bundles.json; the reported omission in tools/lib/skill-filter.js does not drive current shipped catalog data.",n/a,n/a, +https://chatgpt.com/codex/security/findings/279041383cc08191abdb9dfa99a03f7c,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Malformed frontmatter delimiter breaks YAML parsing for skills,"The commit replaces valid `license:` fields with lines that start with `---`, e.g. `--- Unknown` in `skills/alpha-vantage/SKILL.md`. The frontmatter parser in `lib/skill-utils.js` reads the block between the first and next `---` line and then parses it as YAML. A `---` marker inside the block is treated as a YAML document delimiter, which makes the frontmatter invalid or splits it into multiple documents. As a result, validators and index generation will report frontmatter parse errors and drop metadata for these skills. This is a regression introduced by the automated fixes.",low,new,2026-03-13T21:09:11.726502Z,2026-03-06 09:18:57 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,93d6badcee41fbacc26b427d3f8d5665ea25b7e6,skills/alpha-vantage/SKILL.md | lib/skill-utils.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/alpha-vantage/SKILL.md | tools/lib/skill-utils.js,still present but low practical risk,Malformed local SKILL.md frontmatter caused parser drift and validation noise.,robustness,Malformed frontmatter delimiter breaks YAML parsing for skills,"On origin/main, skills/alpha-vantage/SKILL.md still contained an extra delimiter token (--- Unknown), which caused parser warnings and broken metadata interpretation.",Repair the malformed frontmatter so the file is a valid YAML frontmatter document.,node tools/scripts/tests/repo_hygiene_security.test.js,codex/security-robustness +https://chatgpt.com/codex/security/findings/f4f1ce7ec10c81918140ad2ea30d7465,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,ws_listener writes sensitive events to predictable /tmp files,"The newly added skills/videodb/scripts/ws_listener.py writes WebSocket events, connection IDs, and PIDs to fixed filenames in a user-controllable output directory that defaults to /tmp. Files are created with default permissions and without safeguards against symlink/hardlink attacks. On multi-user systems this enables local attackers to read captured transcripts or overwrite arbitrary files if the listener is run with higher privileges and a malicious symlink is placed in /tmp.",low,new,2026-03-13T21:19:42.804366Z,2026-03-03 18:02:13 +0530,rohit@spext.co,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,21f7730bb5322b44eff60138ee20be25733f317e,skills/videodb/scripts/ws_listener.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/videodb/scripts/ws_listener.py,still present but low practical risk,A local helper defaulted to predictable shared temporary-file paths.,robustness,ws_listener writes sensitive events to predictable /tmp files,"On origin/main, ws_listener defaulted to /tmp for event, pid, and websocket-id files, which is a same-host local confidentiality risk rather than a remote exploit.",Default to a user-owned state directory instead of shared /tmp when no explicit output dir is provided.,node tools/scripts/tests/local_temp_safety.test.js,codex/security-robustness +https://chatgpt.com/codex/security/findings/774d10a364bc8191a4545e42cb6d75c9,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink traversal lets /skills/ serve arbitrary local files,"The commit adds a custom Vite middleware that serves files from the repo's skills directory. It only checks path traversal with path.resolve() and then uses fs.statSync/createReadStream on the original path. Because path.resolve() does not resolve symlinks and fs.statSync follows them, a symlink placed under skills (e.g., via a malicious skill sync or PR) can point to any file on the host. Requests like /skills/ will then leak those files. This is a local file disclosure risk if the dev server is reachable on a shared network or within a container.",low,new,2026-03-13T21:26:48.457589Z,2026-03-03 09:27:19 +0100,zinzied@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,7399b2973c3dee050c56e09325a30aba92278df6,web-app/refresh-skills-plugin.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,apps/web-app/refresh-skills-plugin.js,still present but low practical risk,The Vite dev plugin served requested files based on lexical path checks instead of safe realpath containment.,filesystem-trust-boundary,Symlink traversal lets /skills/ serve arbitrary local files,"On origin/main, refresh-skills-plugin.js used path.resolve(filePath).startsWith(...) and fs.statSync(filePath), so a symlink inside skills/ could still read a target outside the intended tree in local dev.",Resolve real paths and only serve files whose resolved path remains inside the skills root.,node tools/scripts/tests/symlink_safety.test.js,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/22e68f79d7f08191b5a2ae8de5c74a99,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Sync Skills endpoint follows symlinks from downloaded archive,"The commit adds a Vite dev-server middleware at /api/refresh-skills that downloads a GitHub ZIP, extracts it, and copies the extracted skills into the repo and web-app/public. The copy routine does not guard against symlinks or validate extracted content. If a malicious archive (e.g., compromised upstream repo or redirected download) includes a symlink under skills pointing outside the repo, copyFolderSync will follow it and copy arbitrary local files into web-app/public, potentially exposing sensitive data via the dev server. The endpoint is unauthenticated and invoked via a GET request from the UI, making it possible for a CSRF-style trigger if the dev server is exposed.",low,new,2026-03-13T21:21:24.441152Z,2026-03-02 09:56:15 +0100,zinzied@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,b42ab600ec7fad506e90e5f15a612df6b7122400,web-app/refresh-skills-plugin.js | web-app/src/pages/Home.jsx,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,apps/web-app/refresh-skills-plugin.js,duplicate of another finding,The Vite dev plugin served requested files based on lexical path checks instead of safe realpath containment.,filesystem-trust-boundary,Symlink traversal lets /skills/ serve arbitrary local files,"On origin/main, the stale Home.jsx path no longer exists, but the live issue is the same plugin root cause as finding 16: once symlinked content lands under skills/, the dev server trusts it by lexical path only.",Fix once in refresh-skills-plugin.js by resolving and constraining real paths.,node tools/scripts/tests/symlink_safety.test.js,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/188240e65ef8819190a3f34657172d78,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Validation crash if YAML frontmatter is not a mapping,"After switching to yaml.safe_load, parse_frontmatter can return a list or scalar when the frontmatter is not a YAML mapping. validate_skills() only checks for falsy metadata and then immediately indexes metadata[""name""], metadata[""description""], etc. If a malformed SKILL.md uses a sequence/scalar that contains strings like ""description"", the membership check passes and the subsequent dict-style access raises a TypeError, crashing the validation script. A malicious contributor could add such a frontmatter to break CI validation (tooling DoS).",low,new,2026-03-13T21:28:56.999912Z,2026-03-01 09:38:25 +0100,72440556+itsmeares@users.noreply.github.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,4a5f1234bb5edc54a85dbd136b9feeb43fad8e95,scripts/validate_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/validate_skills.py,still present but low practical risk,Frontmatter parsers assumed YAML always decoded to a mapping/object.,robustness,Validation crash if YAML frontmatter is not a mapping,"On origin/main, validate_skills.parse_frontmatter returned yaml.safe_load output directly; scalar YAML values were not rejected before downstream key access.",Reject non-mapping frontmatter early and return a validation error instead of passing scalar values downstream.,python3 tools/scripts/tests/test_frontmatter_parsing_security.py,codex/security-robustness +https://chatgpt.com/codex/security/findings/57c4c40bcaa48191964fd242c8c7c213,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Anonymous Supabase writes allow skill star tampering,"The new Supabase integration creates a public client in the browser and writes directly to the skill_stars table from the UI. The only anti-abuse control is a localStorage flag, which is trivially bypassed (clear storage or script direct API calls with the publishable key). If the table is configured to allow anonymous inserts/updates—as required for this feature—any network user can inflate star counts or spam rows, impacting data integrity and potentially costs.",low,new,2026-03-13T21:28:30.655363Z,2026-02-25 17:56:20 +0100,zinzied@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,68266007b9e3bd3fe4eccffd994a7d479eb03fdc,web-app/src/lib/supabase.js | web-app/src/pages/Home.jsx,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,apps/web-app/src/lib/supabase.ts | apps/web-app/src/hooks/useSkillStars.ts | apps/web-app/src/context/SkillContext.tsx,still present and exploitable,Browser code performed direct shared star writes with a public anon client and no repo-local server-side mediation.,auth-integrity,Anonymous Supabase writes allow skill star tampering,"Inference from source: on origin/main, useSkillStars performed a direct upsert to skill_stars from frontend code using the public anon client. The repo contains no server-side gate or versioned policy proving that writes are constrained.",Disable shared frontend writes by default and keep only local starring unless an explicit deployment-time opt-in is provided.,cd apps/web-app && npm test -- --run src/hooks/__tests__/useSkillStarsSecurity.test.ts,codex/security-auth-integrity +https://chatgpt.com/codex/security/findings/9e069e8cc0048191a5703a5ba70ca6ff,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Metadata fixer overwrites symlinked SKILL.md targets,"The newly added maintenance script walks the skills tree and opens any SKILL.md for writing. It does not check whether SKILL.md is a symlink or whether the resolved path stays within the repo. If an attacker contributes a skill directory where SKILL.md is a symlink to an arbitrary file (e.g., in CI or a maintainer’s workstation), running this script will overwrite that target with rewritten frontmatter. This is a classic symlink traversal/arbitrary file overwrite risk in build tooling.",low,new,2026-03-13T21:42:42.429276Z,2026-02-20 19:39:15 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,e36d6fd3b3f6c37967efd3ae60a5a25460d1f824,scripts/fix_skills_metadata.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/fix_skills_metadata.py,still present but low practical risk,Maintenance scripts rewrote symlinked SKILL.md targets without path safety checks.,filesystem-trust-boundary,Metadata fixer overwrites symlinked SKILL.md targets,"On origin/main, fix_skills_metadata.py opened and rewrote every discovered SKILL.md without skipping symlinked files, so a crafted symlink could modify another file.",Skip symlinked SKILL.md files and only mutate real local skill files with mapping frontmatter.,python3 tools/scripts/tests/test_fix_skills_metadata_security.py,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/e29b51f4ce848191a63ce491cf03f29f,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Installer now dereferences symlinks during copy,"This commit changes installs to always clone into a temporary directory and then copy the repo’s skills/ and docs/ into the target using copyRecursiveSync. copyRecursiveSync uses fs.statSync (not lstat) and recursively walks directories, which dereferences symlinks. If a compromised or malicious repo contains a symlink inside skills/ or docs/ pointing to a sensitive local path (e.g., ~/.ssh or /etc), the installer will read and copy those files into the skills directory. Previously, fresh installs used git clone directly, which preserves symlinks rather than copying their targets. This expands the attack surface to all installs and can lead to unintended disclosure or propagation of local files when skills are later used or shared.",low,new,2026-03-13T21:43:58.492792Z,2026-02-19 08:52:55 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,36ebea20bac8a13c1974accdc5df019b77b8c889,bin/install.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/bin/install.js,still present and exploitable,Installer copy logic dereferenced symlinks without constraining the resolved path to the cloned repo.,filesystem-trust-boundary,Installer now dereferences symlinks during copy,"On origin/main, copyRecursiveSync used fs.statSync on cloned content, so a malicious symlink in the repo could copy arbitrary local files into the install target.","Use lstat, resolve symlinks only when they stay inside the cloned repo root, and skip/ignore out-of-root links.",node tools/scripts/tests/copy_security.test.js,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/3d330bc804b881918c5aee016173d23a,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Installer merge path dereferences symlinks when copying,"When the target directory already exists and is not a git repo, the installer now clones the repo into a temp directory and copies it into the target. The new copyRecursiveSync function uses fs.statSync (not lstat) and fs.copyFileSync, which dereference symlinks. If a compromised or malicious repo includes a symlink that points outside the repo (e.g., /etc/passwd or /), the installer will read and copy that external file or directory into the target directory. This introduces a supply-chain style local file disclosure/DoS risk that did not exist when the script previously aborted on non-git directories.",low,new,2026-03-13T21:43:54.333304Z,2026-02-18 18:35:55 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,ac202f006274c93eb6d169cbac9e8e41ee9803ab,bin/install.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/bin/install.js,duplicate of another finding,Installer copy logic dereferenced symlinks without constraining the resolved path to the cloned repo.,filesystem-trust-boundary,Installer now dereferences symlinks during copy,Same origin/main behavior as finding 21: install.js dereferenced symlinks during install/merge copy.,Fix once in install.js by constraining or skipping symlink resolution.,node tools/scripts/tests/copy_security.test.js,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/9750c7b5f2648191b70db89c0744cb34,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Cleanup sync deletes arbitrary paths via flat_name,"The new cleanup_previous_sync routine loads docs/microsoft-skills-attribution.json and iterates each skill's flat_name to build a deletion path. Because flat_name is not validated or constrained to a safe filename, a crafted entry containing path traversal (e.g., ""../../etc"") resolves outside TARGET_DIR. When the maintainer runs the sync script, shutil.rmtree will delete directories outside the repo, leading to destructive filesystem writes. A malicious PR or compromised attribution file could exploit this.",low,new,2026-03-13T21:50:10.785722Z,2026-02-12 00:38:24 +0500,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,35556e030676fa458d7ec7c7c23d741da37a7c44,scripts/sync_microsoft_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_microsoft_skills.py,duplicate of another finding,Microsoft sync trusted frontmatter-derived flat names for filesystem writes and cleanup deletes.,filesystem-trust-boundary,Unsanitized frontmatter name enables path traversal in sync script,Same origin/main root cause as finding 1: cleanup_previous_sync used flat_name from attribution without constraining it to skills/.,Fix once in sync_microsoft_skills.py by sanitizing flat names before delete/copy operations.,python3 tools/scripts/tests/test_sync_microsoft_skills_security.py,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/85cc2dab67f08191a8acfc493fa68e9f,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Audio transcription example allows Python code injection,"The newly added skills/audio-transcriber/examples/basic-transcription.sh uses an unquoted heredoc (python3 << EOF) and directly embeds shell variables like $AUDIO_FILE and $MODEL inside Python string literals. Because the heredoc is unquoted, any quotes or Python syntax contained in a malicious filename (or MODEL environment value) are injected into the Python script at runtime. If a user runs the script on an attacker-supplied audio file with a crafted name, the injected code can execute with the user's privileges.",low,new,2026-03-13T21:58:03.406739Z,2026-02-04 17:37:45 -0300,eric.andrade@avanade.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,801c8fa47555ac331b83ba3040c71ed075dea8c7,skills/audio-transcriber/examples/basic-transcription.sh,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/audio-transcriber/examples/basic-transcription.sh,still present but low practical risk,Example shell script interpolated untrusted shell variables directly into embedded Python code.,shell-safety,Audio transcription example allows Python code injection,"On origin/main, basic-transcription.sh used an unquoted heredoc and embedded $AUDIO_FILE/$MODEL/$TRANSCRIBER directly into Python source, so crafted input could break quoting and inject code in a local example script.",Use quoted heredocs and pass values through environment variables instead of interpolating them into Python source.,node tools/scripts/tests/docs_security_content.test.js,codex/security-shell-safety +https://chatgpt.com/codex/security/findings/6d47effff9a88191a329efd81b65fe5e,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Unbounded recursive skill traversal can crash catalog build,"The newly added listSkillIdsRecursive function walks every subdirectory under skills with unbounded recursion and no cycle/depth checks. A malicious or accidental deeply nested directory tree (or a symlink loop on filesystems that report symlinks as directories) can exhaust the Node.js call stack and crash catalog generation, breaking CI/builds.",low,new,2026-03-13T22:04:01.470812Z,2026-02-02 22:04:20 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,263c5076842e38bcde7a5f353ae3ec089c6f0cfb,lib/skill-utils.js | scripts/build-catalog.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/lib/skill-utils.js | tools/scripts/build-catalog.js,obsolete/not reproducible on current HEAD,Historical concern about recursive traversal following symlink loops.,,,"On origin/main, listSkillIdsRecursive walks Dirent directories from readdirSync({withFileTypes:true}); symlink entries are not treated as directories, so the reported unbounded symlink recursion does not reproduce.",n/a,n/a, +https://chatgpt.com/codex/security/findings/b4a2caf37cf88191af9bd61ff52b082b,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Release scripts still use root skills_index.json path,"The commit relocated skills_index.json into the data/ directory, but the release and README update scripts still read/write the index from the repository root. Running the release cycle now attempts to open skills_index.json at the old location and will fail or regenerate a new file in the wrong place, leaving the canonical data/skills_index.json stale. This is a regression caused by the file move.",low,new,2026-03-13T22:17:55.097915Z,2026-01-28 17:38:45 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,76e0dffad7a40edda8093fa76b8d8af32bec19b5,scripts/update_readme.py | scripts/generate_index.py | scripts/release_cycle.sh,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/update_readme.py | tools/scripts/generate_index.py | tools/scripts/release_cycle.sh,obsolete/not reproducible on current HEAD,Historical path expectation mismatch for generated index output.,,,"On origin/main, root skills_index.json is the canonical generated index and release_cycle.sh is only a wrapper around release_workflow.js, so the reported path mismatch no longer reproduces as a defect.",n/a,n/a, +https://chatgpt.com/codex/security/findings/9d9af398dcc88191be1f6f927f559775,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink traversal in skill normalization allows file overwrite,"The commit introduces listSkillIds in lib/skill-utils.js, which uses fs.statSync and therefore follows symlinks when enumerating skill folders. scripts/normalize-frontmatter.js then derives a SKILL.md path from each entry and rewrites it with fs.writeFileSync. If an attacker adds a symlinked skill directory (e.g., skills/evil -> /etc), running normalize-frontmatter will follow the symlink and overwrite /etc/SKILL.md or any target file named SKILL.md, allowing arbitrary file modification on the maintainer/CI host. Use lstatSync to reject symlinks or resolve real paths and enforce they stay within the skills directory before reading/writing.",low,new,2026-03-13T22:15:38.637449Z,2026-01-28 17:15:26 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,0ffee448285d6830e442b769f9002f7a9dba91b0,lib/skill-utils.js | scripts/normalize-frontmatter.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/lib/skill-utils.js | tools/scripts/normalize-frontmatter.js,still present but low practical risk,Skill discovery used stat-based directory checks that treated symlinked skill dirs/files as local mutable content.,filesystem-trust-boundary,Symlink traversal in skill normalization allows file overwrite,"On origin/main, listSkillIds used fs.statSync and fs.existsSync on child skill dirs, so normalize-frontmatter could treat symlinked skill folders as writable local skills.",Use lstat-based discovery and skip symlinked skill dirs / SKILL.md entries before normalization.,node tools/scripts/tests/skill_utils_security.test.js,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/1a06ce21006c8191a1f482569642fa7e,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,last30days skill passes user input directly to Bash command,"The skill instructs the agent to execute `python3 ... ""$ARGUMENTS""` via the Bash tool. Because `$ARGUMENTS` is derived from the user’s topic and is only wrapped in double quotes, shell command substitution (e.g., `$(...)` or backticks) will still be evaluated. An attacker who can influence the topic (direct user input or prompt injection) can execute arbitrary shell commands in the Claude Code environment.",low,new,2026-03-13T22:21:45.958278Z,2026-01-26 19:05:37 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,c7f7f23bd7ecce8a78ebb19cab04fc1569d5e01b,skills/last30days/SKILL.md,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/last30days/SKILL.md,obsolete/not reproducible on current HEAD,Historical concern about unquoted shell interpolation in skill instructions.,,,"On origin/main, the documented command passes ""$ARGUMENTS"" as a quoted argument to Python, so the reported direct Bash injection sink does not reproduce from the current text.",n/a,n/a, +https://chatgpt.com/codex/security/findings/e3a91005557c8191978bb32695394919,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Unvalidated YAML frontmatter can crash index generation,"The commit switches frontmatter parsing to yaml.safe_load but then assumes the result is a dict of string values. PyYAML can return non-mapping types (e.g., a scalar or list) or non-string values (timestamps, binaries). If a malicious SKILL.md uses such YAML, the merge step can raise TypeError (e.g., metadata is a string/list) or json.dump can fail on non-JSON-serializable objects. Because generate_index.py runs in CI on untrusted skill content, this is a build-time availability issue that can be exploited to crash or block the pipeline.",low,new,2026-03-13T22:23:04.494598Z,2026-01-26 08:30:16 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,9891cb28edfd8405bf3f865c01b8f04ca9e8f9d7,scripts/generate_index.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/generate_index.py,duplicate of another finding,Frontmatter parsers assumed YAML always decoded to a mapping/object.,robustness,Validation crash if YAML frontmatter is not a mapping,"Same origin/main root cause as finding 18, but in generate_index.py instead of validate_skills.py: scalar YAML values were passed through without a mapping check.",Fix once by rejecting non-mapping frontmatter in both parser paths.,python3 tools/scripts/tests/test_frontmatter_parsing_security.py,codex/security-robustness +https://chatgpt.com/codex/security/findings/f21c1074a2148191bb8bcb18b171c39b,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Predictable /tmp counter file enables local file clobbering,"The newly added suggest-compact hook script uses a predictable filename in /tmp (""/tmp/claude-tool-count-$$"") and writes to it with shell redirection. In a multi-user environment, another local user can pre-create a symlink at that path pointing to a victim-owned file. When the victim runs the hook, the script will follow the symlink and truncate/overwrite the target file. This is a classic insecure temporary file issue; use mktemp or a per-user directory with safe file creation to avoid symlink clobbering.",low,new,2026-03-13T22:30:51.612037Z,2026-01-21 17:49:56 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,a9ff10d5111d2cc19f1222790ff58a3185608e01,skills/cc-skill-strategic-compact/suggest-compact.sh,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/cc-skill-strategic-compact/suggest-compact.sh,still present but low practical risk,A local helper used a predictable shared temporary-file path.,robustness,Predictable /tmp counter file enables local file clobbering,"On origin/main, suggest-compact.sh stored state in /tmp/claude-tool-count-$$, which is predictable and shared-host local-only.",Move the counter file into a user-owned state directory.,node tools/scripts/tests/local_temp_safety.test.js,codex/security-robustness +https://chatgpt.com/codex/security/findings/d82004aa844081918c6abb75d578e5fa,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink traversal risk in new sync script,"The newly added scripts/sync_recommended_skills.sh clears the local skills library by changing into the directory and running `rm -rf` on every `*/` match. In bash, `*/` matches symlinks to directories and `rm -rf symlink/` follows the link, deleting the target directory’s contents. If a malicious or compromised skill installation can place a symlink inside the local library (or a local attacker can create one), running this script will delete files outside the intended skills directory. This is a symlink traversal / destructive delete vulnerability affecting local integrity and availability.",low,new,2026-03-13T22:33:00.513276Z,2026-01-18 07:52:10 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,95eeb1dd4b95033547e57a668b4725ea0c33f4dd,scripts/sync_recommended_skills.sh,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_recommended_skills.sh,still present but low practical risk,A local sync helper used recursive copy semantics that could dereference repo symlinks.,filesystem-trust-boundary,Symlink traversal risk in new sync script,"On origin/main, sync_recommended_skills.sh copied a fixed allowlist from the repo with cp -r, which is local-only but still trusts symlink handling in source content.",Use cp -RP so symlinks are preserved instead of dereferenced.,node tools/scripts/tests/repo_hygiene_security.test.js,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/3ba537afc7948191a311d56c49c1ab03,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,skills_manager allows path traversal in enable/disable operations,"The newly added scripts/skills_manager.py constructs source and target paths by concatenating the user-supplied skill name to SKILLS_DIR or DISABLED_DIR without validating that the resolved paths remain within those directories. An attacker (or malicious automation input) can supply values like ""../scripts"" or ""../../.git"" to move arbitrary directories in the repo, resulting in unintended file moves or data loss. enable_skill has no guard for path traversal, and disable_skill only blocks dot-prefixed names, not ""../"" traversal.",low,new,2026-03-13T22:32:42.251933Z,2026-01-16 17:56:47 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,4ee569d5d5e89a96b6be43dd6100f6cae5299229,scripts/skills_manager.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/skills_manager.py,still present but low practical risk,The local skills manager trusted unsanitized skill names in filesystem rename operations.,filesystem-trust-boundary,skills_manager allows path traversal in enable/disable operations,"On origin/main, enable_skill/disable_skill joined the user-supplied skill name directly under skills/.disabled and skills/, so ../ segments could escape the intended root.",Resolve the requested path and reject names that escape the intended skills directory.,python3 tools/scripts/tests/test_skills_manager_security.py,codex/security-filesystem-trust-boundary +https://chatgpt.com/codex/security/findings/73bc17c96c988191be28a2da534aad7c,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Zip Slip risk in Office unpack scripts,"The Office file unpack helpers for both docx and pptx use zipfile.ZipFile(...).extractall(output_path) directly on the provided Office file. If a malicious Office document contains entries with ../ or absolute paths, extractall will write outside the intended output directory (Zip Slip), enabling arbitrary file overwrite on the machine running the script. Because these scripts are meant to run on potentially untrusted documents, the lack of path validation is a security issue.",low,new,2026-03-13T22:35:07.638286Z,2026-01-14 18:48:08 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,7f46ed8ca119949ad3b406bc85e727db84ee6ece,skills/docx/ooxml/scripts/unpack.py | skills/pptx/ooxml/scripts/unpack.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/docx-official/ooxml/scripts/unpack.py | skills/pptx-official/ooxml/scripts/unpack.py,still present and exploitable,Office unpack helpers extracted ZIP members without validating that archive entries stayed inside the output directory.,filesystem-trust-boundary,Zip Slip risk in Office unpack scripts,"On origin/main, both unpack.py scripts called ZipFile.extractall(output_path) directly, so a malicious Office archive could write outside the requested directory.",Validate each archive member path before extraction and reject path-traversal entries.,python3 tools/scripts/tests/test_office_unpack_security.py,codex/security-filesystem-trust-boundary diff --git a/docs/maintainers/security-findings-triage-2026-03-15.md b/docs/maintainers/security-findings-triage-2026-03-15.md new file mode 100644 index 00000000..eda760a4 --- /dev/null +++ b/docs/maintainers/security-findings-triage-2026-03-15.md @@ -0,0 +1,58 @@ +# Security Findings Triage (2026-03-15) + +- Baseline: `origin/main@226f10c2a62fc182b4e93458bddea2e60f9b0cb9` +- Input CSV was treated as triage input only, not as ground truth. +- Status meanings: `still present and exploitable`, `still present but low practical risk`, `obsolete/not reproducible on current HEAD`, `duplicate of another finding`. + +## Summary + +- still present and exploitable: 6 +- obsolete/not reproducible on current HEAD: 6 +- still present but low practical risk: 14 +- duplicate of another finding: 7 + +## Remediation Buckets + +- `codex/security-filesystem-trust-boundary`: findings 1, 3, 7, 10, 16, 20, 21, 27, 31, 32, 33 plus duplicates 5, 6, 8, 17, 22, 23. +- `codex/security-auth-integrity`: findings 12 and 19. +- `codex/security-shell-safety`: findings 4 and 24. +- `codex/security-robustness`: findings 9, 14, 15, 18, 29, 30. +- `codex/security-runtime-exploitable`: no standalone bucket remained after default-branch verification; the actionable issues all fit the filesystem/auth/shell/robustness buckets above. + +## Detailed Findings + +| # | Severity | Title | Current Paths | Status | Bucket | Why It Is / Is Not Valid On `origin/main` | Minimal Safe Fix | Target PR | +|---|---|---|---|---|---|---|---|---| +| 1 | high | Unsanitized frontmatter name enables path traversal in sync script | `tools/scripts/sync_microsoft_skills.py` | still present and exploitable | filesystem-trust-boundary | On origin/main, sync_microsoft_skills.py used the parsed frontmatter name directly under TARGET_DIR and cleanup_previous_sync reused flat_name from attribution without constraining it to skills/. | Sanitize flat names to a single safe path segment and refuse cleanup/copy targets that resolve outside the cloned repo or local skills/ root. | codex/security-filesystem-trust-boundary | +| 2 | medium | Stored XSS via rehype-raw rendering of skill markdown | `apps/web-app/src/pages/SkillDetail.tsx` | obsolete/not reproducible on current HEAD | n/a | On origin/main, SkillDetail renders markdown with react-markdown + remark-gfm + rehype-highlight only; rehype-raw is no longer imported or enabled. | n/a | n/a | +| 3 | medium | Symlink-following copy leaks host files in setup_web | `tools/scripts/setup_web.js` | still present and exploitable | filesystem-trust-boundary | On origin/main, setup_web.js used fs.statSync and recursive copy on skills/, so a symlink inside skills could resolve to an arbitrary host file or directory and be copied into public assets. | Resolve symlinks only when their real path stays inside skills/; otherwise skip them and keep copying regular entries. | codex/security-filesystem-trust-boundary | +| 4 | medium | Insecure install guidance allows remote script execution | `skills/apify-actorization/SKILL.md` | still present but low practical risk | shell-safety | On origin/main, the Apify actorization skill still recommended curl/irm pipe-to-shell installation and apify login -t, which is documentation-only but directly instructs unsafe execution and credential handling. | Replace pipe-to-shell commands with package-manager guidance and remove command-line token examples. | codex/security-shell-safety | +| 5 | medium | setup_web.js now follows symlinks, enabling file exfiltration | `tools/scripts/setup_web.js` | duplicate of another finding | filesystem-trust-boundary | Same origin/main behavior as finding 3: fs.statSync-based recursive copy in setup_web.js followed symlink targets during public asset setup. | Fix once in setup_web.js by constraining symlink resolution to the skills root. | codex/security-filesystem-trust-boundary | +| 6 | medium | Symlink traversal in web asset setup copies arbitrary files | `tools/scripts/setup_web.js` | duplicate of another finding | filesystem-trust-boundary | Same origin/main behavior as finding 3: the setup_web recursive copy followed symlink targets and copied their resolved content. | Fix once in setup_web.js by constraining symlink resolution to the skills root. | codex/security-filesystem-trust-boundary | +| 7 | medium | Symlink file copying in .github/skills sync leaks host files | `tools/scripts/sync_microsoft_skills.py` | still present and exploitable | filesystem-trust-boundary | On origin/main, find_skills_in_directory accepted symlinked skill dirs by item.resolve() and copy loops accepted regular files from resolved dirs without checking they remained under the clone root. | Reject symlink targets outside the clone root and copy only regular files whose resolved path stays under the clone root. | codex/security-filesystem-trust-boundary | +| 8 | medium | Symlinked file copy in Microsoft skill sync can leak host data | `tools/scripts/sync_microsoft_skills.py` | duplicate of another finding | filesystem-trust-boundary | Same origin/main behavior as finding 7: the Microsoft sync path trusted resolved symlink targets and copied files from them. | Fix once in sync_microsoft_skills.py by constraining resolved paths to the clone root. | codex/security-filesystem-trust-boundary | +| 9 | medium | Committed Python bytecode can hide malicious logic | `skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc` | still present but low practical risk | robustness | On origin/main, tracked __pycache__ artifacts were still present under skills/ui-ux-pro-max/scripts, which is review-hostile but not independently exploitable. | Remove tracked bytecode artifacts and rely on source-only review plus .gitignore. | codex/security-robustness | +| 10 | medium | Symlinked SKILL.md can leak host files via index script | `tools/scripts/generate_index.py` | still present but low practical risk | filesystem-trust-boundary | On origin/main, generate_index.py opened every SKILL.md it found via os.walk and did not skip symlinked SKILL.md files, so a malicious local symlink could exfiltrate another file into index metadata generation. | Skip symlinked SKILL.md files during indexing. | codex/security-filesystem-trust-boundary | +| 11 | low | Example loader trusts manifest paths, enabling file read | `docs/integrations/jetski-gemini-loader/loader.ts` | obsolete/not reproducible on current HEAD | n/a | On origin/main, the loader example resolves the requested file and rejects any path whose path.relative escapes the configured skills root, so the reported direct file read no longer reproduces. | n/a | n/a | +| 12 | low | TLS certificate verification disabled in new scrapers | `skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py` | still present but low practical risk | auth-integrity | On origin/main, both the base scraper and the direct fallback client instantiated HTTP clients with verify=False / ignore_https_errors=True, which weakens transport integrity but is a local-run scraper risk rather than an application RCE. | Enable TLS verification by default and require an explicit environment opt-out for insecure targets. | codex/security-auth-integrity | +| 13 | low | Complete bundle omits valid skill categories | `tools/lib/skill-filter.js | tools/scripts/build-catalog.js | data/bundles.json` | obsolete/not reproducible on current HEAD | n/a | On origin/main, shipped bundle data is generated by tools/scripts/build-catalog.js into data/bundles.json; the reported omission in tools/lib/skill-filter.js does not drive current shipped catalog data. | n/a | n/a | +| 14 | low | Malformed frontmatter delimiter breaks YAML parsing for skills | `skills/alpha-vantage/SKILL.md | tools/lib/skill-utils.js` | still present but low practical risk | robustness | On origin/main, skills/alpha-vantage/SKILL.md still contained an extra delimiter token (--- Unknown), which caused parser warnings and broken metadata interpretation. | Repair the malformed frontmatter so the file is a valid YAML frontmatter document. | codex/security-robustness | +| 15 | low | ws_listener writes sensitive events to predictable /tmp files | `skills/videodb/scripts/ws_listener.py` | still present but low practical risk | robustness | On origin/main, ws_listener defaulted to /tmp for event, pid, and websocket-id files, which is a same-host local confidentiality risk rather than a remote exploit. | Default to a user-owned state directory instead of shared /tmp when no explicit output dir is provided. | codex/security-robustness | +| 16 | low | Symlink traversal lets /skills/ serve arbitrary local files | `apps/web-app/refresh-skills-plugin.js` | still present but low practical risk | filesystem-trust-boundary | On origin/main, refresh-skills-plugin.js used path.resolve(filePath).startsWith(...) and fs.statSync(filePath), so a symlink inside skills/ could still read a target outside the intended tree in local dev. | Resolve real paths and only serve files whose resolved path remains inside the skills root. | codex/security-filesystem-trust-boundary | +| 17 | low | Sync Skills endpoint follows symlinks from downloaded archive | `apps/web-app/refresh-skills-plugin.js` | duplicate of another finding | filesystem-trust-boundary | On origin/main, the stale Home.jsx path no longer exists, but the live issue is the same plugin root cause as finding 16: once symlinked content lands under skills/, the dev server trusts it by lexical path only. | Fix once in refresh-skills-plugin.js by resolving and constraining real paths. | codex/security-filesystem-trust-boundary | +| 18 | low | Validation crash if YAML frontmatter is not a mapping | `tools/scripts/validate_skills.py` | still present but low practical risk | robustness | On origin/main, validate_skills.parse_frontmatter returned yaml.safe_load output directly; scalar YAML values were not rejected before downstream key access. | Reject non-mapping frontmatter early and return a validation error instead of passing scalar values downstream. | codex/security-robustness | +| 19 | low | Anonymous Supabase writes allow skill star tampering | `apps/web-app/src/lib/supabase.ts | apps/web-app/src/hooks/useSkillStars.ts | apps/web-app/src/context/SkillContext.tsx` | still present and exploitable | auth-integrity | Inference from source: on origin/main, useSkillStars performed a direct upsert to skill_stars from frontend code using the public anon client. The repo contains no server-side gate or versioned policy proving that writes are constrained. | Disable shared frontend writes by default and keep only local starring unless an explicit deployment-time opt-in is provided. | codex/security-auth-integrity | +| 20 | low | Metadata fixer overwrites symlinked SKILL.md targets | `tools/scripts/fix_skills_metadata.py` | still present but low practical risk | filesystem-trust-boundary | On origin/main, fix_skills_metadata.py opened and rewrote every discovered SKILL.md without skipping symlinked files, so a crafted symlink could modify another file. | Skip symlinked SKILL.md files and only mutate real local skill files with mapping frontmatter. | codex/security-filesystem-trust-boundary | +| 21 | low | Installer now dereferences symlinks during copy | `tools/bin/install.js` | still present and exploitable | filesystem-trust-boundary | On origin/main, copyRecursiveSync used fs.statSync on cloned content, so a malicious symlink in the repo could copy arbitrary local files into the install target. | Use lstat, resolve symlinks only when they stay inside the cloned repo root, and skip/ignore out-of-root links. | codex/security-filesystem-trust-boundary | +| 22 | low | Installer merge path dereferences symlinks when copying | `tools/bin/install.js` | duplicate of another finding | filesystem-trust-boundary | Same origin/main behavior as finding 21: install.js dereferenced symlinks during install/merge copy. | Fix once in install.js by constraining or skipping symlink resolution. | codex/security-filesystem-trust-boundary | +| 23 | low | Cleanup sync deletes arbitrary paths via flat_name | `tools/scripts/sync_microsoft_skills.py` | duplicate of another finding | filesystem-trust-boundary | Same origin/main root cause as finding 1: cleanup_previous_sync used flat_name from attribution without constraining it to skills/. | Fix once in sync_microsoft_skills.py by sanitizing flat names before delete/copy operations. | codex/security-filesystem-trust-boundary | +| 24 | low | Audio transcription example allows Python code injection | `skills/audio-transcriber/examples/basic-transcription.sh` | still present but low practical risk | shell-safety | On origin/main, basic-transcription.sh used an unquoted heredoc and embedded $AUDIO_FILE/$MODEL/$TRANSCRIBER directly into Python source, so crafted input could break quoting and inject code in a local example script. | Use quoted heredocs and pass values through environment variables instead of interpolating them into Python source. | codex/security-shell-safety | +| 25 | low | Unbounded recursive skill traversal can crash catalog build | `tools/lib/skill-utils.js | tools/scripts/build-catalog.js` | obsolete/not reproducible on current HEAD | n/a | On origin/main, listSkillIdsRecursive walks Dirent directories from readdirSync({withFileTypes:true}); symlink entries are not treated as directories, so the reported unbounded symlink recursion does not reproduce. | n/a | n/a | +| 26 | low | Release scripts still use root skills_index.json path | `tools/scripts/update_readme.py | tools/scripts/generate_index.py | tools/scripts/release_cycle.sh` | obsolete/not reproducible on current HEAD | n/a | On origin/main, root skills_index.json is the canonical generated index and release_cycle.sh is only a wrapper around release_workflow.js, so the reported path mismatch no longer reproduces as a defect. | n/a | n/a | +| 27 | low | Symlink traversal in skill normalization allows file overwrite | `tools/lib/skill-utils.js | tools/scripts/normalize-frontmatter.js` | still present but low practical risk | filesystem-trust-boundary | On origin/main, listSkillIds used fs.statSync and fs.existsSync on child skill dirs, so normalize-frontmatter could treat symlinked skill folders as writable local skills. | Use lstat-based discovery and skip symlinked skill dirs / SKILL.md entries before normalization. | codex/security-filesystem-trust-boundary | +| 28 | low | last30days skill passes user input directly to Bash command | `skills/last30days/SKILL.md` | obsolete/not reproducible on current HEAD | n/a | On origin/main, the documented command passes "$ARGUMENTS" as a quoted argument to Python, so the reported direct Bash injection sink does not reproduce from the current text. | n/a | n/a | +| 29 | low | Unvalidated YAML frontmatter can crash index generation | `tools/scripts/generate_index.py` | duplicate of another finding | robustness | Same origin/main root cause as finding 18, but in generate_index.py instead of validate_skills.py: scalar YAML values were passed through without a mapping check. | Fix once by rejecting non-mapping frontmatter in both parser paths. | codex/security-robustness | +| 30 | low | Predictable /tmp counter file enables local file clobbering | `skills/cc-skill-strategic-compact/suggest-compact.sh` | still present but low practical risk | robustness | On origin/main, suggest-compact.sh stored state in /tmp/claude-tool-count-$$, which is predictable and shared-host local-only. | Move the counter file into a user-owned state directory. | codex/security-robustness | +| 31 | low | Symlink traversal risk in new sync script | `tools/scripts/sync_recommended_skills.sh` | still present but low practical risk | filesystem-trust-boundary | On origin/main, sync_recommended_skills.sh copied a fixed allowlist from the repo with cp -r, which is local-only but still trusts symlink handling in source content. | Use cp -RP so symlinks are preserved instead of dereferenced. | codex/security-filesystem-trust-boundary | +| 32 | low | skills_manager allows path traversal in enable/disable operations | `tools/scripts/skills_manager.py` | still present but low practical risk | filesystem-trust-boundary | On origin/main, enable_skill/disable_skill joined the user-supplied skill name directly under skills/.disabled and skills/, so ../ segments could escape the intended root. | Resolve the requested path and reject names that escape the intended skills directory. | codex/security-filesystem-trust-boundary | +| 33 | low | Zip Slip risk in Office unpack scripts | `skills/docx-official/ooxml/scripts/unpack.py | skills/pptx-official/ooxml/scripts/unpack.py` | still present and exploitable | filesystem-trust-boundary | On origin/main, both unpack.py scripts called ZipFile.extractall(output_path) directly, so a malicious Office archive could write outside the requested directory. | Validate each archive member path before extraction and reject path-traversal entries. | codex/security-filesystem-trust-boundary |