You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sync OSS release snapshot for SkillSpector 2.3.7
Refresh the public NVIDIA/SkillSpector repository from the sanitized internal
OSS release snapshot generated from GitLab main. The final source snapshot was
produced from internal release branch release/oss-2026-06-24-3 at
514c2a76c3dd995859529138313a9806365e8b95, based on GitLab main
3820dab5c9680517598d558f2b986cad26f4fc61.
This release includes the latest merged internal changes and publishes the
public package metadata bump to 2.3.7. It also carries analyzer/test updates
already staged in the OSS release PR, including static runner behavior changes,
pattern default updates, analyzer registry/test adjustments, and whitespace
cleanup in generated public docs/test files.
Highlights:
- Publish SkillSpector package version 2.3.7 in pyproject.toml and uv.lock.
- Sync the public tree with the latest internal OSS snapshot.
- Preserve the sanitized public-release shape generated by scripts/create-oss-release.sh.
- Keep DCO compliance on the GitHub release commits.
Verification:
- scripts/create-oss-release.sh release/oss-2026-06-24-3
- make test-unit: 990 passed, 12 skipped, 26 deselected, 6 expected failed
- git diff --check
- GitHub CI passed: DCO Check, Lint & Test Python 3.12, Lint & Test Python 3.13
Copy file name to clipboardExpand all lines: pyproject.toml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
4
4
5
5
[project]
6
6
name = "skillspector"
7
-
version = "2.3.5"
7
+
version = "2.3.7"
8
8
description = "SkillSpector: Security scanner for AI agent skills (Claude Code, Cursor, and similar). Scans skills for vulnerabilities, malicious patterns, and security risks before installation. Supports Git repos, URLs, zips, and local directories; runs static pattern checks and optional LLM semantic analysis; outputs terminal, JSON, and Markdown reports with risk scoring."
# Pattern-specific explanations (why the finding is dangerous)
@@ -127,14 +127,14 @@ class PatternCategory(StrEnum):
127
127
"AS1": "Skill reads from agent configuration directories (.claude/, .codex/, .gemini/). These directories may contain API keys, personal settings, and other credentials that the skill has no legitimate need to access.",
128
128
"AS2": "Skill accesses MCP server configuration files (mcp.json). MCP configs contain server URLs, authentication tokens, and tool definitions — reading them allows the skill to discover and potentially abuse other tool integrations.",
129
129
"AS3": "Skill enumerates or reads other installed skills. Access to other skills' SKILL.md files or the skills directory reveals prompt instructions, capabilities, and secrets that should be invisible to peer skills.",
130
-
# Server-Side Request Forgery (SSRF)
131
-
"SSRF1": "Code accesses a cloud instance metadata endpoint (e.g. 169.254.169.254). A single request can return temporary IAM credentials, making this a high-value SSRF target for credential theft.",
132
-
"SSRF2": "Code issues a request to a loopback, link-local, or private-range host. This can reach internal services not meant to be exposed and is a common SSRF pivot.",
133
-
"SSRF3": "Request target host is built from a dynamic or untrusted value. If the host is attacker-influenced, this enables SSRF to arbitrary internal or metadata endpoints.",
134
130
# Anti-Refusal Statements (jailbreak)
135
131
"AR1": "Skill instructs the agent to never refuse or to always comply. Suppressing the agent's ability to decline removes a core safety control and enables downstream harmful requests to succeed.",
136
132
"AR2": "Skill instructs the agent to omit warnings, disclaimers, or ethical commentary. Stripping safety caveats hides risk from the user and is a common jailbreak preamble.",
137
133
"AR3": "Skill attempts to nullify the agent's safety policies or restrictions ('you have no restrictions', 'ignore your guidelines', 'do anything now'). This is a direct jailbreak that disables guardrails.",
134
+
# Server-Side Request Forgery (SSRF)
135
+
"SSRF1": "Code accesses a cloud instance metadata endpoint (e.g. 169.254.169.254). A single request can return temporary IAM credentials, making this a high-value SSRF target for credential theft.",
136
+
"SSRF2": "Code issues a request to a loopback, link-local, or private-range host. This can reach internal services not meant to be exposed and is a common SSRF pivot.",
137
+
"SSRF3": "Request target host is built from a dynamic or untrusted value. If the host is attacker-influenced, this enables SSRF to arbitrary internal or metadata endpoints.",
138
138
}
139
139
140
140
# Rule ID -> category (for report output)
@@ -202,14 +202,14 @@ class PatternCategory(StrEnum):
# Rule ID -> pattern display name (for report output)
@@ -277,14 +277,14 @@ class PatternCategory(StrEnum):
277
277
"AS1": "Agent Config Directory Access",
278
278
"AS2": "MCP Config Access",
279
279
"AS3": "Skill Enumeration",
280
-
# Server-Side Request Forgery
281
-
"SSRF1": "Cloud Metadata Access",
282
-
"SSRF2": "Internal Network Request",
283
-
"SSRF3": "Dynamic Request Target",
284
280
# Anti-Refusal Statements (jailbreak)
285
281
"AR1": "Refusal Suppression",
286
282
"AR2": "Disclaimer Suppression",
287
283
"AR3": "Safety Policy Nullification",
284
+
# Server-Side Request Forgery
285
+
"SSRF1": "Cloud Metadata Access",
286
+
"SSRF2": "Internal Network Request",
287
+
"SSRF3": "Dynamic Request Target",
288
288
}
289
289
290
290
# Pattern-specific remediations (how to fix the issue)
@@ -371,14 +371,14 @@ class PatternCategory(StrEnum):
371
371
"AS1": "Remove all code or instructions that access agent configuration directories (.claude/, .codex/, .gemini/). If configuration values are needed, pass them explicitly as parameters or environment variables — never read the agent's own config files.",
372
372
"AS2": "Remove all code or instructions that read MCP configuration files (mcp.json). MCP server details should be managed by the agent runtime, not read by individual skills.",
373
373
"AS3": "Remove all code or instructions that list or read other skills' files or directories. Skills should operate independently; cross-skill access is a privilege escalation.",
374
-
# Server-Side Request Forgery
375
-
"SSRF1": "Remove access to cloud metadata endpoints unless strictly required. If metadata is needed, restrict it (e.g. IMDSv2 with hop limit) and never expose returned credentials.",
376
-
"SSRF2": "Avoid requests to loopback/link-local/private hosts from skill code. If internal access is intended, document it and validate the target against an allowlist.",
377
-
"SSRF3": "Do not build request URLs from untrusted input. Validate the host against an allowlist and reject internal/metadata addresses before issuing the request.",
378
374
# Anti-Refusal Statements (jailbreak)
379
375
"AR1": "Remove any instruction telling the agent to never refuse or always comply. The agent must retain the ability to decline unsafe, out-of-scope, or harmful requests.",
380
376
"AR2": "Remove instructions that suppress warnings, disclaimers, or ethical commentary. Let the agent surface safety-relevant caveats to the user.",
381
377
"AR3": "Remove jailbreak framing that nullifies safety policies or restrictions. Skill content must not instruct the agent to ignore its guidelines or operate without guardrails.",
378
+
# Server-Side Request Forgery
379
+
"SSRF1": "Remove access to cloud metadata endpoints unless strictly required. If metadata is needed, restrict it (e.g. IMDSv2 with hop limit) and never expose returned credentials.",
380
+
"SSRF2": "Avoid requests to loopback/link-local/private hosts from skill code. If internal access is intended, document it and validate the target against an allowlist.",
381
+
"SSRF3": "Do not build request URLs from untrusted input. Validate the host against an allowlist and reject internal/metadata addresses before issuing the request.",
0 commit comments