BREAKING CHANGES: - Remove -cskill suffix from all skill names (use standard kebab-case) - Simplify marketplace.json to only official fields (fixes Issue #5) - SKILL.md body must be <500 lines (progressive disclosure via references/) New features: - Cross-platform support for 8+ platforms (Claude Code, Copilot, Cursor, Windsurf, Cline, Codex CLI, Gemini CLI) - scripts/install-template.sh: Auto-detect platform installer with --dry-run - scripts/validate.py: Spec compliance checker for generated skills - scripts/security_scan.py: Security scanner for hardcoded keys and dangerous patterns - MIGRATION.md: v3.x to v4.0 migration guide - 6 new reference files for progressive disclosure from lean SKILL.md Key changes: - SKILL.md: 4,116 → 272 lines with spec-compliant YAML frontmatter - marketplace.json: Stripped to {name, plugins} only - article-to-prototype-cskill/ → article-to-prototype/ - stock-analyzer-cskill/ → stock-analyzer/ - Export system integrates validation + security scanning - README.md rewritten for all supported platforms - Phase 5 pipeline outputs SKILL.md-first, spec-compliant skills Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
30 lines
1.1 KiB
Markdown
30 lines
1.1 KiB
Markdown
# SC-018: Security Scan Detects Hardcoded API Key
|
|
|
|
> Covers: FR-013 — Security scan MUST check for hardcoded API keys, secrets, and .env files
|
|
> Type: Happy Path
|
|
|
|
## Given
|
|
- A generated skill directory `leaky-skill/` contains a script `scripts/main.py` with:
|
|
```python
|
|
API_KEY = "sk-proj-abc123def456ghi789jkl012mno345pqr678stu901vwx234"
|
|
```
|
|
|
|
## When
|
|
- The security scan is run as part of validation (or independently)
|
|
|
|
## Then
|
|
- The security scan fails
|
|
- The `security` list in the validation result contains a finding about the hardcoded API key
|
|
- The finding identifies the file (`scripts/main.py`) and the pattern matched
|
|
|
|
## Verification Method
|
|
|
|
**Method**: Automated test
|
|
|
|
**Steps**:
|
|
1. Create `leaky-skill/scripts/main.py` with a hardcoded API key string
|
|
2. Call `validate_skill("leaky-skill/")` or the dedicated security scan function
|
|
3. Assert `result.security` is non-empty
|
|
4. Assert a security finding references `scripts/main.py` and mentions "hardcoded" or "API key" or "secret"
|
|
|
|
**Expected evidence**: Security findings list includes an entry like `"Hardcoded secret detected in scripts/main.py: possible API key on line 1"`.
|