Skip to content

Commit 406daaa

Browse files
mustbesimo2claude
andcommitted
chore(publish): SkillSpector-clean ClawHub bundle — baseline + triage + recipe
Ran NVIDIA SkillSpector against the ClawHub export. Raw: 100/CRITICAL/28 findings — all triaged as false positives (a security scanner keyword/AST-matching a legitimate, permission-disclosed web-design skill). With a reviewed baseline: 0/SAFE/0 active. Adds: - .skillspector-baseline.yaml — reviewed false positives (FAL_KEY handling, generated-HTML guidance comments, image-gen "prompt" naming, MIT/guardrail text). - docs/security/skillspector-triage.md — per-category rationale + re-triage steps. - COMPATIBILITY.md publish recipe: include audit-mode.md + learn-mode.md (complete contract), drop maintainer-only tools/skill-sync.mjs, add a SkillSpector verify gate. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent a1d35a6 commit 406daaa

3 files changed

Lines changed: 167 additions & 3 deletions

File tree

.skillspector-baseline.yaml

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
# SkillSpector baseline — findings listed here are suppressed on future scans.
2+
# Edit 'reason' fields and add glob 'rules' as needed. See docs/SUPPRESSION.md.
3+
version: 1
4+
rules: []
5+
fingerprints:
6+
- hash: sha256:005fae9fc53a3b0b
7+
rule_id: EA3
8+
file: LICENSE
9+
reason: Accepted finding (auto-generated baseline)
10+
- hash: sha256:b487ad71b57c28dd
11+
rule_id: EA2
12+
file: taste-guardrails.md
13+
reason: Accepted finding (auto-generated baseline)
14+
- hash: sha256:2dea09b2bf319fb1
15+
rule_id: PE3
16+
file: manifest.json
17+
reason: Accepted finding (auto-generated baseline)
18+
- hash: sha256:233a4accc247d12d
19+
rule_id: PE3
20+
file: tools/check-consistency.mjs
21+
reason: Accepted finding (auto-generated baseline)
22+
- hash: sha256:eeaef921a4949fce
23+
rule_id: PE3
24+
file: tools/heygen/README.md
25+
reason: Accepted finding (auto-generated baseline)
26+
- hash: sha256:70f68445955e0c2c
27+
rule_id: PE3
28+
file: tools/heygen/generate-walkthrough.mjs
29+
reason: Accepted finding (auto-generated baseline)
30+
- hash: sha256:cce6b90479abf5b7
31+
rule_id: PE3
32+
file: tools/promo/gen-flythrough-assets.mjs
33+
reason: Accepted finding (auto-generated baseline)
34+
- hash: sha256:4de37cdc212221de
35+
rule_id: PE3
36+
file: tools/promo/gen-flythrough-assets.mjs
37+
reason: Accepted finding (auto-generated baseline)
38+
- hash: sha256:fcb96d6229b496a3
39+
rule_id: PE3
40+
file: tools/promo/gen-flythrough-assets.mjs
41+
reason: Accepted finding (auto-generated baseline)
42+
- hash: sha256:0e02379477c141b2
43+
rule_id: PE3
44+
file: tools/promo/gen-flythrough-assets.mjs
45+
reason: Accepted finding (auto-generated baseline)
46+
- hash: sha256:7b314a61e06f676b
47+
rule_id: PE3
48+
file: tools/promo/gen-theme-heroes.mjs
49+
reason: Accepted finding (auto-generated baseline)
50+
- hash: sha256:fad458216b2d1fd5
51+
rule_id: PE3
52+
file: tools/promo/gen-theme-heroes.mjs
53+
reason: Accepted finding (auto-generated baseline)
54+
- hash: sha256:f551c430053e74c3
55+
rule_id: PE3
56+
file: tools/promo/gen-theme-heroes.mjs
57+
reason: Accepted finding (auto-generated baseline)
58+
- hash: sha256:7c59291852ee5a29
59+
rule_id: PE3
60+
file: tools/promo/gen-theme-heroes.mjs
61+
reason: Accepted finding (auto-generated baseline)
62+
- hash: sha256:9d94246fa8622c0f
63+
rule_id: PE3
64+
file: tools/promo/gen-theme-heroes.mjs
65+
reason: Accepted finding (auto-generated baseline)
66+
- hash: sha256:685b752dd6989ae2
67+
rule_id: P2
68+
file: compile-choreography.mjs
69+
reason: Accepted finding (auto-generated baseline)
70+
- hash: sha256:578641c8b12491b3
71+
rule_id: P2
72+
file: components/mode-a/depth-figure.html
73+
reason: Accepted finding (auto-generated baseline)
74+
- hash: sha256:a05147f5a234d13c
75+
rule_id: P2
76+
file: components/mode-a/hero-parallax.html
77+
reason: Accepted finding (auto-generated baseline)
78+
- hash: sha256:4395031da242547c
79+
rule_id: P2
80+
file: components/mode-a/horizontal-gallery.html
81+
reason: Accepted finding (auto-generated baseline)
82+
- hash: sha256:7b7879df973f9dc5
83+
rule_id: P2
84+
file: components/mode-a/kinetic-headline.html
85+
reason: Accepted finding (auto-generated baseline)
86+
- hash: sha256:e04e4367713cd710
87+
rule_id: P2
88+
file: components/mode-a/magnetic-cursor.html
89+
reason: Accepted finding (auto-generated baseline)
90+
- hash: sha256:31413b5c27bbc56e
91+
rule_id: P2
92+
file: components/mode-a/morph-background.html
93+
reason: Accepted finding (auto-generated baseline)
94+
- hash: sha256:19e587073602bbf8
95+
rule_id: P2
96+
file: components/mode-a/scrub-video.html
97+
reason: Accepted finding (auto-generated baseline)
98+
- hash: sha256:adabce263b7b75f9
99+
rule_id: P2
100+
file: components/mode-a/scrub-video.html
101+
reason: Accepted finding (auto-generated baseline)
102+
- hash: sha256:219ef5f0e8e00092
103+
rule_id: P2
104+
file: components/mode-a/scrub-video.html
105+
reason: Accepted finding (auto-generated baseline)
106+
- hash: sha256:2bb759a2d7082841
107+
rule_id: P2
108+
file: references/webxr.md
109+
reason: Accepted finding (auto-generated baseline)
110+
- hash: sha256:1e21ada85988b62f
111+
rule_id: P6
112+
file: tools/promo/gen-flythrough-assets.mjs
113+
reason: Accepted finding (auto-generated baseline)
114+
- hash: sha256:a7995659b3857e15
115+
rule_id: P6
116+
file: tools/promo/gen-theme-heroes.mjs
117+
reason: Accepted finding (auto-generated baseline)

COMPATIBILITY.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -146,12 +146,18 @@ GIF/video/GLB marketing assets (~hundreds of MB):
146146
```bash
147147
# 1. stage a clean export of the skill contract
148148
EXPORT=$(mktemp -d)
149-
git archive HEAD SKILL.md design.md manifest.json LICENSE taste-guardrails.md \
150-
FRAME.md ASSETS-3D.md MODELS.md tokens/ themes/ components/ evals/ \
149+
git archive HEAD SKILL.md audit-mode.md learn-mode.md design.md manifest.json LICENSE \
150+
taste-guardrails.md FRAME.md ASSETS-3D.md MODELS.md tokens/ themes/ components/ evals/ \
151151
references/ tools/ examples/PROMPTS.md \
152152
compile-choreography.mjs scroll-choreography.json | tar -x -C "$EXPORT"
153+
rm -f "$EXPORT/tools/skill-sync.mjs" # maintainer-only .codex/.cursor stub sync — not a runtime capability
153154

154-
# 2. authenticate (GitHub account ≥ 1 week old) and publish
155+
# 2. security scan (NVIDIA SkillSpector) — must come back SAFE before publishing.
156+
# The baseline records reviewed false positives; rationale in
157+
# docs/security/skillspector-triage.md. Re-triage if NEW findings appear.
158+
skillspector scan "$EXPORT" --no-llm --baseline .skillspector-baseline.yaml
159+
160+
# 3. authenticate (GitHub account ≥ 1 week old) and publish
155161
clawhub login
156162
clawhub skill publish "$EXPORT" --slug cinematic-scroll \
157163
--name "Cinematic Scroll" --version <X.Y.Z> # match manifest.json
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
# SkillSpector triage — ClawHub bundle
2+
3+
[NVIDIA SkillSpector](https://github.com/NVIDIA/skillspector) is a security scanner for
4+
agent skills (prompt injection, data exfiltration, privilege escalation, dangerous code,
5+
etc.; risk score 0–100). We run it against the **ClawHub export bundle** before publishing.
6+
7+
## Result
8+
9+
- **Raw scan** (`skillspector scan dist/clawhub-export --no-llm`): `score 100 · CRITICAL`,
10+
28 findings — **all reviewed as false positives** (see below). SkillSpector's heuristics
11+
are tuned to catch *malicious* skills; they keyword/AST-match a legitimate, fully
12+
permission-disclosed web-design toolkit.
13+
- **With the reviewed baseline** (`--baseline .skillspector-baseline.yaml`):
14+
`score 0 · LOW · SAFE · 0 active · 28 suppressed`.
15+
16+
One finding was removed **structurally** rather than suppressed: `tools/skill-sync.mjs`
17+
(a maintainer-only tool that syncs this skill's own `.codex`/`.cursor` pointer stubs) is
18+
excluded from the bundle — it is not a runtime capability. That dropped the 2 "Agent
19+
Snooping / Skill Enumeration" flags. `audit-mode.md` + `learn-mode.md` were added so the
20+
published agent contract is complete; they introduced **no** new findings.
21+
22+
## Why every remaining finding is a false positive
23+
24+
| Category (count) | What SkillSpector matched | Why it is not a vulnerability |
25+
|---|---|---|
26+
| **Privilege Escalation / Credential Access (13)** | `.env.local` / `FAL_KEY` strings in `manifest.json`, `tools/check-consistency.mjs`, `tools/heygen/*`, `tools/promo/*` | Correct credential *handling*, not theft. `manifest.json` documents storing the billable `FAL_KEY` in a **gitignored** `.env.local`; `check-consistency.mjs` literally **scans for leaked `.env` files** (a security control); the optional, user-initiated fal.ai/HeyGen scripts read the key from `process.env`. Nothing is harvested or transmitted. All disclosed in `manifest.json → security.thirdPartyNetworkCalls` and the SKILL.md frontmatter `permissions`. |
27+
| **Prompt Injection / Hidden Instructions (11)** | HTML comments in generated templates, e.g. `<!-- chapter: … LAYOUT IS YOURS: reposition the [data-layer] elements freely … -->` in `compile-choreography.mjs` + `components/mode-a/*.html` | Author-facing guidance comments inside **generated output**, helping a human/agent art-direct the page. They are not instructions smuggled to an agent to take unauthorized action. |
28+
| **System Prompt Leakage / Direct Prompt Extraction (2)** | the phrase "print prompt" in `tools/promo/gen-flythrough-assets.mjs`, `gen-theme-heroes.mjs` | These print the **fal.ai image-generation prompt** (the text-to-image art prompt), not a system prompt or internal instructions. |
29+
| **Excessive Agency (2)** | `LICENSE` ("INCLUDING BUT NOT LIMITED TO"); `taste-guardrails.md` ("without consent") | MIT license boilerplate; and a **safety guardrail** (5.6 — "Never force VR locomotion or move the user *without consent*"), i.e. the opposite of a vulnerability. |
30+
31+
## Re-verify / re-triage
32+
33+
```bash
34+
# build the bundle (see "Publishing a new version" in COMPATIBILITY.md), then:
35+
skillspector scan "$EXPORT" --no-llm --baseline .skillspector-baseline.yaml # expect SAFE
36+
```
37+
38+
The baseline matches specific findings, so a **new** issue in any of these files still
39+
surfaces. If new findings appear, triage them here and regenerate the baseline
40+
(`skillspector baseline "$EXPORT" --no-llm -o .skillspector-baseline.yaml`) only after
41+
each is confirmed benign. Do **not** baseline an unreviewed finding.

0 commit comments

Comments
 (0)