diff --git a/README.md b/README.md index fa6c588a..ba6850b9 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ **Antigravity Awesome Skills** is a curated, battle-tested library of **1,259+ high-performance agentic skills** designed to work seamlessly across the major AI coding assistants. -**Current release: V7.8.0.** This repository gives your agent reusable playbooks for planning, coding, debugging, testing, security review, infrastructure work, product thinking, and much more. +**Current release: V7.9.1.** This repository gives your agent reusable playbooks for planning, coding, debugging, testing, security review, infrastructure work, product thinking, and much more. ## Table of Contents @@ -28,6 +28,7 @@ - [📖 Complete Usage Guide](docs/users/usage.md) - **Start here if confused after installation!** - [🔌 Compatibility & Invocation](#compatibility--invocation) - [🛠️ Installation](#installation) +- [🛡️ Security Posture](#security-posture) - [🧯 Troubleshooting](#troubleshooting) - [🎁 Curated Collections (Bundles)](#curated-collections) - [🧭 Antigravity Workflows](#antigravity-workflows) @@ -49,7 +50,7 @@ ### 1. 🐣 Context: What is this? -**Antigravity Awesome Skills** (Release 7.8.0) is a broad, production-oriented upgrade to your AI's capabilities. +**Antigravity Awesome Skills** (Release 7.9.1) is a broad, production-oriented upgrade to your AI's capabilities. AI Agents (like Claude Code, Cursor, or Gemini) are smart, but they lack **specific tools**. They don't know your company's "Deployment Protocol" or the specific syntax for "AWS CloudFormation". **Skills** are small markdown files that teach them how to do these specific tasks perfectly, every time. @@ -117,8 +118,6 @@ These skills follow the universal **SKILL.md** format and work with any AI codin > [!TIP] > **Windows Users**: use the standard install commands. The legacy `core.symlinks=true` / Developer Mode workaround is no longer required for this repository. ---- - ## Installation To use these skills with **Claude Code**, **Gemini CLI**, **Codex CLI**, **Kiro CLI**, **Kiro IDE**, **Cursor**, **Antigravity**, **OpenCode**, or **AdaL**: @@ -170,6 +169,19 @@ This installs the same repository-backed skill library through Claude Code's plu | AdaL CLI | `npx antigravity-awesome-skills --path .adal/skills` | `Use brainstorming to plan a feature` | | Custom path | `npx antigravity-awesome-skills --path ./my-skills` | Depends on your tool | +## Security Posture + +These skills are continuously reviewed and hardened, but the collection is not "safe by default". They are instructions and examples that can include risky operations by design. + +- Runtime hardening now protects the `/api/refresh-skills` mutation flow (method/host checks and optional token gate) before any repo mutation. +- Markdown rendering in the web app avoids raw HTML passthrough (`rehype-raw`) and follows safer defaults for skill content display. +- A repo-wide `SKILL.md` security scan checks for high-risk command patterns (for example `curl|bash`, `wget|sh`, `irm|iex`, command-line token examples) with explicit allowlisting for deliberate exceptions. +- Maintainer-facing tooling has additional path/symlink checks and parser robustness guards for safer sync, index, and install operations. +- Security test coverage for endpoint authorization, rendering safety, and doc-risk patterns is part of the normal CI/release validation flow. +- For the release history and details of the current hardening run, see [MAINTENANCE](.github/MAINTENANCE.md), [CHANGELOG](CHANGELOG.md), and [security findings triage](docs/maintainers/security-findings-triage-2026-03-15.md). + +--- + ## What This Repo Includes - **Skills library**: `skills/` contains the reusable `SKILL.md` collection.