BREAKING CHANGES: - Remove -cskill suffix from all skill names (use standard kebab-case) - Simplify marketplace.json to only official fields (fixes Issue #5) - SKILL.md body must be <500 lines (progressive disclosure via references/) New features: - Cross-platform support for 8+ platforms (Claude Code, Copilot, Cursor, Windsurf, Cline, Codex CLI, Gemini CLI) - scripts/install-template.sh: Auto-detect platform installer with --dry-run - scripts/validate.py: Spec compliance checker for generated skills - scripts/security_scan.py: Security scanner for hardcoded keys and dangerous patterns - MIGRATION.md: v3.x to v4.0 migration guide - 6 new reference files for progressive disclosure from lean SKILL.md Key changes: - SKILL.md: 4,116 → 272 lines with spec-compliant YAML frontmatter - marketplace.json: Stripped to {name, plugins} only - article-to-prototype-cskill/ → article-to-prototype/ - stock-analyzer-cskill/ → stock-analyzer/ - Export system integrates validation + security scanning - README.md rewritten for all supported platforms - Phase 5 pipeline outputs SKILL.md-first, spec-compliant skills Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 KiB
1 KiB
SC-021: Security Scan Detects Shell Injection Patterns
Covers: FR-014 — Security scan SHOULD check for shell injection patterns in generated scripts Type: Happy Path
Given
- A generated skill directory
unsafe-skill/containsscripts/runner.pywith:import subprocess user_input = input("Enter filename: ") subprocess.call(f"cat {user_input}", shell=True)
When
- The security scan is run on
unsafe-skill/
Then
- The security scan identifies a shell injection risk
- The
securitylist contains a finding aboutsubprocess.callwithshell=Trueand unsanitized input
Verification Method
Method: Automated test
Steps:
- Create
unsafe-skill/scripts/runner.pywithsubprocess.call(..., shell=True)using f-string interpolation - Run the security scan
- Assert security findings reference shell injection or
shell=True
Expected evidence: Security finding like "Potential shell injection in scripts/runner.py: subprocess.call with shell=True and string interpolation".