Skip to content

Add SKILL-020 through SKILL-024 checks (204 total)#59

Merged
thebenignhacker merged 1 commit intomainfrom
feat/skill-020-024
Mar 23, 2026
Merged

Add SKILL-020 through SKILL-024 checks (204 total)#59
thebenignhacker merged 1 commit intomainfrom
feat/skill-020-024

Conversation

@thebenignhacker
Copy link
Copy Markdown
Contributor

@thebenignhacker thebenignhacker commented Mar 23, 2026

Summary

Move 5 skill security checks from CLI-only to HMA scanner. These were previously only available via opena2a CLI but not via npx hackmyagent.

New checks (199 -> 204)

  • SKILL-020 (high): Missing/invalid YAML frontmatter
  • SKILL-021 (high): Overprivileged permission combinations (filesystem + network)
  • SKILL-022 (critical): Environment variable exfiltration (env access + outbound network)
  • SKILL-023 (high): Obfuscated code patterns (eval, atob, Buffer.from, hex strings)
  • SKILL-024 (medium): Unbounded tool chaining without iteration limits

Changes

  • src/hardening/scanner.ts: 5 new checks in checkOpenclawSkills method
  • README.md: Check count updated from 199 to 204

Build

TypeScript compilation passes. All 5 check IDs confirmed in built output.

@thebenignhacker
Add SKILL-020 through SKILL-024 checks to HMA scanner
38e4b8d 
Move 5 skill security checks from OpenA2A CLI to HMA as the canonical
scanner location:

- SKILL-020: Missing/invalid YAML frontmatter validation
- SKILL-021: Overprivileged permissions (dangerous capability combos)
- SKILL-022: Environment variable exfiltration risk detection
- SKILL-023: Obfuscated code patterns (eval, atob, hex-encoded strings)
- SKILL-024: Unbounded tool chaining without iteration limits

Updates check count from 199 to 204 in README.
@thebenignhacker thebenignhacker merged commit b2f67e6 into main Mar 23, 2026
1 check passed
@thebenignhacker thebenignhacker deleted the feat/skill-020-024 branch March 23, 2026 05:37
github-actions[bot]
github-actions bot approved these changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

VERDICT: APPROVE

SUMMARY: This PR adds 5 new skill security checks (SKILL-020 through SKILL-024) to the HMA scanner, bringing the total from 199 to 204 checks. The changes are limited to README.md (documentation updates) and src/hardening/scanner.ts (new check implementations). All new checks operate on skill file content using read-only regex/string operations without external I/O. No command injection, path traversal, or other critical security vulnerabilities were introduced. The code is defensive: regex patterns use simple, linear-time quantifiers; capability matching uses explicit comparisons without shell interpolation; and all findings are informational (no automatic execution of fixes).

FINDINGS:
(none)

Reviewed 2 files changed (13191 bytes)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thebenignhacker