fix(cli): validate skill path

Author: codeaholicguy

packages/cli/src/__tests__/lib/SkillManager.test.ts

@@ -96,6 +96,7 @@ describe("SkillManager", () => {
 
     mockedSkillUtil.validateRegistryId.mockImplementation(() => { });
     mockedSkillUtil.validateSkillName.mockImplementation(() => { });
+    mockedSkillUtil.isValidSkillName.mockImplementation((name: string) => /^[a-z0-9]+(-[a-z0-9]+)*$/.test(name));
     mockedGitUtil.ensureGitInstalled.mockResolvedValue(undefined);
     mockConfigManager.addSkill.mockResolvedValue({} as any);
   });

packages/cli/src/__tests__/util/skill.test.ts

@@ -1,4 +1,4 @@
-import { validateRegistryId, validateSkillName } from '../../util/skill';
+import { validateRegistryId, validateSkillName, isValidSkillName } from '../../util/skill';
 
 describe('Skill Validation Utilities', () => {
   describe('validateRegistryId', () => {
@@ -180,4 +180,25 @@ describe('Skill Validation Utilities', () => {
       });
     });
   });
+
+  describe('isValidSkillName', () => {
+    it('should return true for valid skill names', () => {
+      expect(isValidSkillName('my-skill')).toBe(true);
+      expect(isValidSkillName('skill123')).toBe(true);
+      expect(isValidSkillName('a')).toBe(true);
+    });
+
+    it('should return false for names with path traversal characters', () => {
+      expect(isValidSkillName('../etc')).toBe(false);
+      expect(isValidSkillName('skill/name')).toBe(false);
+      expect(isValidSkillName('.hidden')).toBe(false);
+    });
+
+    it('should return false for names that fail skill name rules', () => {
+      expect(isValidSkillName('-leading')).toBe(false);
+      expect(isValidSkillName('trailing-')).toBe(false);
+      expect(isValidSkillName('double--hyphen')).toBe(false);
+      expect(isValidSkillName('UPPERCASE')).toBe(false);
+    });
+  });
 });

packages/cli/src/lib/SkillManager.ts

@@ -7,7 +7,7 @@ import { GlobalConfigManager } from './GlobalConfig';
 import { EnvironmentSelector } from './EnvironmentSelector';
 import { getGlobalSkillPath, getSkillPath, validateEnvironmentCodes } from '../util/env';
 import { ensureGitInstalled, cloneRepository, isGitRepository, pullRepository, fetchGitHead } from '../util/git';
-import { validateRegistryId, validateSkillName, extractSkillDescription } from '../util/skill';
+import { validateRegistryId, validateSkillName, extractSkillDescription, isValidSkillName } from '../util/skill';
 import { fetchGitHubSkillPaths, fetchRawGitHubFile } from '../util/github';
 import { isInteractiveTerminal } from '../util/terminal';
 import { ui } from '../util/terminal-ui';
@@ -555,7 +555,7 @@ export class SkillManager {
     const skills: RegistrySkillChoice[] = [];
 
     for (const entry of entries) {
-      if (!entry.isDirectory()) {
+      if (!entry.isDirectory() || !isValidSkillName(entry.name)) {
         continue;
       }
 

packages/cli/src/util/skill.ts

@@ -36,6 +36,13 @@ export function validateSkillName(skillName: string): void {
   }
 }
 
+/**
+ * Checks if a skill name is valid without throwing
+ */
+export function isValidSkillName(name: string): boolean {
+  return /^[a-z0-9]+(-[a-z0-9]+)*$/.test(name);
+}
+
 /**
  * Extract skill description from SKILL.md frontmatter
  * @param content - Content of SKILL.md file