Skip to content

feat: gstack-skill-validate — security gate for community skills#437

Open
HMAKT99 wants to merge 1 commit intogarrytan:mainfrom
HMAKT99:arun/skill-validate
Open

feat: gstack-skill-validate — security gate for community skills#437
HMAKT99 wants to merge 1 commit intogarrytan:mainfrom
HMAKT99:arun/skill-validate

Conversation

@HMAKT99
Copy link
Contributor

@HMAKT99 HMAKT99 commented Mar 24, 2026
edited
Loading

Summary

  • Validates SKILL.md.tmpl files before installation from untrusted sources
  • Checks: shell injection, path traversal, network exfiltration, frontmatter, placeholders
  • Exit codes: 0=safe, 1=unsafe, 2=invalid
$ gstack-skill-validate path/to/SKILL.md.tmpl
VALIDATION SCORE: 100/100
VERDICT: SAFE — no issues found.

Trust layer for community skill distribution.

1 file, 144 lines

bin/gstack-skill-validate

Test plan

  • All existing tests pass
  • Detects injection, traversal, exfiltration patterns

@HMAKT99
feat: gstack-skill-validate — security gate for community skills
43f10cf 
Validates SKILL.md.tmpl files before installation:
- Shell injection patterns (eval, backtick nesting, curl|bash, sudo)
- Path traversal (../, /etc/, system paths)
- Network exfiltration (requests to non-allowlisted domains)
- Frontmatter structure (name, description, allowed-tools)
- Placeholder compliance (only known {{PLACEHOLDERS}})
- Tool allowlist validation

Exit codes: 0=safe, 1=unsafe, 2=invalid format.
Trust layer for community skill sharing.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HMAKT99