firefrost-gaming/antigravity-skills-reference
3
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

docs: document contributor security posture checks

Browse Source
This commit is contained in:
sck_0
2026-03-15 10:00:25 +01:00
parent 6bfeb43880
commit ee53e7d8e7
4 changed files with 45 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docs/contributors/quality-bar.md
View File

@@ -4,7 +4,7 @@ To transform **Antigravity Awesome Skills** from a collection of scripts into a
## The "Validated" Badge ✅
A skill earns the "Validated" badge only if it meets these **5 quality checks**. Some are enforced automatically today, while others still require reviewer judgment:
A skill earns the "Validated" badge only if it meets these **6 quality checks**. Some are enforced automatically today, while others still require reviewer judgment:
### 1. Metadata Integrity
@@ -42,6 +42,16 @@ A list of known edge cases or things the skill _cannot_ do.
- _Example_: "Does not work on Windows without WSL."
### 6. Instruction Safety Review
If a skill includes command examples, remote fetch steps, secrets, or mutation guidance, the PR must document the risk and pass `npm run security:docs` in addition to normal validation.
`npm run security:docs` enforces a repo-wide scan for:
- command pipelines like `curl ... | bash`, `wget ... | sh`, `irm ... | iex`,
- inline token/secret-style command examples,
- deliberate allowlisted high-risk documentation commands via `<!-- security-allowlist: ... -->`.
---
## Support Levels
@@ -64,10 +74,12 @@ The canonical validator is `tools/scripts/validate_skills.py`, but the recommend
npm run validate
npm run validate:references
npm test
npm run security:docs
```
Notes:
- `npm run validate` is the operational contributor gate.
- `npm run security:docs` is required for command-heavy or risky skill content.
- `npm run validate:strict` is a useful hardening pass, but the repository still contains legacy skills that do not yet satisfy strict validation.
- Examples and limitations remain part of the quality bar even when they are not fully auto-enforced by the current validator.

2
docs/contributors/security-guardrails.md
View File

@@ -39,6 +39,8 @@ _Examples: Linting, Log Analysis, Configuration Auditing._
- **Data Privacy**: Defensive skills must not upload data to 3rd party servers without explicit user consent.
- **Non-Destructive**: Audits should be read-only by default.
- **Documentation review**: Defensive skills with command examples must still be reviewed for unsafe command patterns.
- **High-risk examples** (`curl|bash`, `wget|sh`, etc.) must use explicit allowlisting comments and clear warning context in the skill body when retained for operational examples.
---