5686fd1669
Add a machine-readable CSV companion for the 2026-03-29 security re-triage so maintainers can consume the refreshed statuses outside the markdown report.\n\nLink the refresh markdown and walkthrough to the new export to keep the historical baseline, addendum, and current-head report aligned.
9.2 KiB
9.2 KiB
| 1 | finding_id | title | current_status | current_paths | validation_reason | evidence |
|---|---|---|---|---|---|---|
| 2 | 1 | Unsanitized frontmatter name enables path traversal in sync script | obsolete/not reproducible on current HEAD | tools/scripts/sync_microsoft_skills.py | sync_microsoft_skills.py now sanitizes flat names and constrains delete/copy targets to safe in-repo paths. | tools/scripts/tests/test_sync_microsoft_skills_security.py |
| 3 | 2 | Stored XSS via rehype-raw rendering of skill markdown | obsolete/not reproducible on current HEAD | apps/web-app/src/pages/SkillDetail.tsx | SkillDetail still renders markdown without rehype-raw; the reported stored-XSS path does not reproduce. | apps/web-app/src/pages/SkillDetail.tsx |
| 4 | 3 | Symlink-following copy leaks host files in setup_web | obsolete/not reproducible on current HEAD | tools/scripts/setup_web.js | setup_web.js now uses lstatSync plus resolveSafeRealPath() and skips out-of-root symlinks. | tools/scripts/tests/copy_security.test.js |
| 5 | 4 | Insecure install guidance allows remote script execution | obsolete/not reproducible on current HEAD | skills/apify-actorization/SKILL.md | The Apify skill no longer recommends pipe-to-shell installs or token-on-command-line login. | skills/apify-actorization/SKILL.md |
| 6 | 5 | setup_web.js now follows symlinks, enabling file exfiltration | duplicate of another finding | tools/scripts/setup_web.js | Same root cause/fix area as finding 3. | tools/scripts/setup_web.js |
| 7 | 6 | Symlink traversal in web asset setup copies arbitrary files | duplicate of another finding | tools/scripts/setup_web.js | Same root cause/fix area as finding 3. | tools/scripts/setup_web.js |
| 8 | 7 | Symlink file copying in .github/skills sync leaks host files | obsolete/not reproducible on current HEAD | tools/scripts/sync_microsoft_skills.py | Microsoft sync now rejects unsafe symlink targets and only accepts safe regular files that stay within the cloned source root. | tools/scripts/tests/test_sync_microsoft_skills_security.py |
| 9 | 8 | Symlinked file copy in Microsoft skill sync can leak host data | duplicate of another finding | tools/scripts/sync_microsoft_skills.py | Same root cause/fix area as finding 7. | tools/scripts/sync_microsoft_skills.py |
| 10 | 9 | Committed Python bytecode can hide malicious logic | obsolete/not reproducible on current HEAD | skills/ui-ux-pro-max/scripts/__pycache__ | Tracked __pycache__ artifacts are absent on current main and repo hygiene tests fail if they reappear. | tools/scripts/tests/repo_hygiene_security.test.js |
| 11 | 10 | Symlinked SKILL.md can leak host files via index script | obsolete/not reproducible on current HEAD | tools/scripts/generate_index.py | generate_index.py now ignores symlinked SKILL.md files during index generation. | tools/scripts/tests/test_frontmatter_parsing_security.py |
| 12 | 11 | Example loader trusts manifest paths, enabling file read | obsolete/not reproducible on current HEAD | docs/integrations/jetski-gemini-loader/loader.mjs | The Jetski loader rejects symlinked skill directories/files and any resolved SKILL.md outside the configured skills root. | tools/scripts/tests/jetski_gemini_loader.test.cjs |
| 13 | 12 | TLS certificate verification disabled in new scrapers | obsolete/not reproducible on current HEAD | skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py | TLS verification is enabled by default again; insecure behavior requires an explicit opt-out environment flag. | skills/junta-leiloeiros/scripts/scraper/base_scraper.py |
| 14 | 13 | Complete bundle omits valid skill categories | obsolete/not reproducible on current HEAD | tools/lib/skill-filter.js | tools/scripts/build-catalog.js | data/bundles.json | The old helper-path omission still does not drive shipped bundle output; current bundles come from build-catalog.js. | tools/scripts/build-catalog.js |
| 15 | 14 | Malformed frontmatter delimiter breaks YAML parsing for skills | obsolete/not reproducible on current HEAD | skills/alpha-vantage/SKILL.md | The malformed --- Unknown frontmatter regression is no longer present in alpha-vantage. | tools/scripts/tests/repo_hygiene_security.test.js |
| 16 | 15 | ws_listener writes sensitive events to predictable /tmp files | obsolete/not reproducible on current HEAD | skills/videodb/scripts/ws_listener.py | ws_listener.py now defaults to a user-owned state directory and uses secure file creation. | tools/scripts/tests/local_temp_safety.test.js |
| 17 | 16 | Symlink traversal lets /skills/ serve arbitrary local files | obsolete/not reproducible on current HEAD | apps/web-app/refresh-skills-plugin.js | refresh-skills-plugin.js resolves real paths under the skills root before serving /skills/*; the public Pages app no longer exposes the maintainer sync surface. | apps/web-app/refresh-skills-plugin.js |
| 18 | 17 | Sync Skills endpoint follows symlinks from downloaded archive | duplicate of another finding | apps/web-app/refresh-skills-plugin.js | Same root cause/fix area as finding 16. | apps/web-app/refresh-skills-plugin.js |
| 19 | 18 | Validation crash if YAML frontmatter is not a mapping | obsolete/not reproducible on current HEAD | tools/scripts/validate_skills.py | validate_skills.py now rejects non-mapping YAML frontmatter cleanly instead of crashing downstream validation. | tools/scripts/tests/test_frontmatter_parsing_security.py |
| 20 | 19 | Anonymous Supabase writes allow skill star tampering | obsolete/not reproducible on current HEAD | apps/web-app/src/hooks/useSkillStars.ts | apps/web-app/src/lib/supabase.ts | useSkillStars now stores saves locally in the browser and no longer performs shared frontend writes through the public Supabase client. | apps/web-app/src/hooks/useSkillStars.ts |
| 21 | 20 | Metadata fixer overwrites symlinked SKILL.md targets | obsolete/not reproducible on current HEAD | tools/scripts/fix_skills_metadata.py | fix_skills_metadata.py now skips symlinked SKILL.md files and non-mapping frontmatter. | tools/scripts/fix_skills_metadata.py |
| 22 | 21 | Installer now dereferences symlinks during copy | obsolete/not reproducible on current HEAD | tools/bin/install.js | install.js now uses lstatSync plus resolveSafeRealPath() and skips symlinks that resolve outside the cloned repo root. | tools/scripts/tests/copy_security.test.js |
| 23 | 22 | Installer merge path dereferences symlinks when copying | duplicate of another finding | tools/bin/install.js | Same root cause/fix area as finding 21. | tools/bin/install.js |
| 24 | 23 | Cleanup sync deletes arbitrary paths via flat_name | duplicate of another finding | tools/scripts/sync_microsoft_skills.py | Same root cause/fix area as finding 1. | tools/scripts/sync_microsoft_skills.py |
| 25 | 24 | Audio transcription example allows Python code injection | obsolete/not reproducible on current HEAD | skills/audio-transcriber/examples/basic-transcription.sh | The audio transcription example now uses a quoted heredoc and passes values via environment variables. | skills/audio-transcriber/examples/basic-transcription.sh |
| 26 | 25 | Unbounded recursive skill traversal can crash catalog build | obsolete/not reproducible on current HEAD | tools/lib/skill-utils.js | tools/scripts/build-catalog.js | The claimed recursive symlink traversal in catalog discovery still does not reproduce on current code paths. | tools/lib/skill-utils.js |
| 27 | 26 | Release scripts still use root skills_index.json path | obsolete/not reproducible on current HEAD | tools/scripts/update_readme.py | tools/scripts/generate_index.py | tools/scripts/release_workflow.js | Root skills_index.json remains the canonical generated index, so the reported release-script path mismatch does not reproduce. | tools/scripts/release_workflow.js |
| 28 | 27 | Symlink traversal in skill normalization allows file overwrite | obsolete/not reproducible on current HEAD | tools/lib/skill-utils.js | tools/scripts/normalize-frontmatter.js | skill-utils.js now relies on lstatSync-based safe directory/file discovery, so normalization does not treat symlinked skill folders as writable local skills. | tools/lib/skill-utils.js |
| 29 | 28 | last30days skill passes user input directly to Bash command | obsolete/not reproducible on current HEAD | skills/last30days/SKILL.md | The last30days skill still passes user input as a quoted value through a temp file, so the reported direct shell-injection sink does not reproduce. | skills/last30days/SKILL.md |
| 30 | 29 | Unvalidated YAML frontmatter can crash index generation | duplicate of another finding | tools/scripts/generate_index.py | Same root cause/fix area as finding 18. | tools/scripts/generate_index.py |
| 31 | 30 | Predictable /tmp counter file enables local file clobbering | obsolete/not reproducible on current HEAD | skills/cc-skill-strategic-compact/suggest-compact.sh | The strategic compact hook now stores state under XDG_STATE_HOME instead of predictable shared /tmp paths. | tools/scripts/tests/local_temp_safety.test.js |
| 32 | 31 | Symlink traversal risk in new sync script | obsolete/not reproducible on current HEAD | tools/scripts/sync_recommended_skills.sh | sync_recommended_skills.sh now preserves symlinks with cp -RP and avoids the destructive glob-delete pattern from the original report. | tools/scripts/tests/repo_hygiene_security.test.js |
| 33 | 32 | skills_manager allows path traversal in enable/disable operations | obsolete/not reproducible on current HEAD | tools/scripts/skills_manager.py | skills_manager.py now resolves candidate paths relative to the intended base directory and rejects traversal attempts. | tools/scripts/tests/test_skills_manager_security.py |
| 34 | 33 | Zip Slip risk in Office unpack scripts | obsolete/not reproducible on current HEAD | skills/docx-official/ooxml/scripts/unpack.py | skills/pptx-official/ooxml/scripts/unpack.py | The Office unpack helpers now validate archive members and reject traversal/symlink-style entries before extraction. | tools/scripts/tests/test_office_unpack_security.py |