docs: expand security posture references for contributor and maintainer workflows
This commit is contained in:
sck_0
@@ -158,7 +158,26 @@ More instructions...
|
||||
**Solution:** How to fix it
|
||||
```
|
||||
|
||||
#### 8. Related Skills
|
||||
#### 8. Security & Safety Notes (for command/network/offensive skills)
|
||||
|
||||
If your skill includes:
|
||||
|
||||
- shell commands or command-like examples,
|
||||
- remote fetch/install or token usage guidance,
|
||||
- file mutation, destructive actions, or privileged operations,
|
||||
|
||||
add a dedicated section before final wrap-up:
|
||||
|
||||
```markdown
|
||||
## Security & Safety Notes
|
||||
|
||||
- This is safe/unsafe scope
|
||||
- Required confirmation or authorization
|
||||
- Example allowlist notes (if needed):
|
||||
`<!-- security-allowlist: ... -->`
|
||||
```
|
||||
|
||||
#### 9. Related Skills
|
||||
```markdown
|
||||
## Related Skills
|
||||
|
||||
|
||||
@@ -54,6 +54,17 @@ More instructions...
|
||||
- ❌ Don't do this
|
||||
- ❌ Avoid this
|
||||
|
||||
## Security & Safety Notes
|
||||
|
||||
- If this skill includes shell commands, command-like examples, network fetches, token/capability strings, or direct mutation guidance, add explicit preconditions and caveats.
|
||||
- For deliberate risky examples (for example `curl ... | bash`, `wget ... | sh`, credential examples), include a reviewer-visible reason and add an allowlist comment:
|
||||
|
||||
```markdown
|
||||
<!-- security-allowlist: approved for documented workflow X -->
|
||||
```
|
||||
|
||||
- If the skill can alter files/systems or run dangerous actions, document confirmation gates and environment expectations (`local-only`, `authorized test environment`, etc.).
|
||||
|
||||
## Common Pitfalls
|
||||
|
||||
- **Problem:** Description
|
||||
|
||||
Reference in New Issue
Block a user