Skip to content

[Docs]: Document [BANG] security workaround for Claude Code issue #12781 #151

Closed
#156
Closed
[Docs]: Document [BANG] security workaround for Claude Code issue #12781#151
#156
Assignees
sjnims
Labels
component:docsDocumentation filescomponent:skillSkills layerdocumentationImprovements or additions to documentationeffort:medium1-4 hourspriority:highImportant but not blockingpriority:mediumShould be addressedsecuritySecurity-related
@sjnims

Description

@sjnims
sjnims
opened on Dec 13, 2025

Which documentation needs improvement?

  • SECURITY.md
  • Contributing guidelines

Specific Location

  • SECURITY.md - Add new section
  • CONTRIBUTING.md - Add note in documentation guidelines

What's unclear or missing?

The plugin uses a [BANG] placeholder to prevent shell execution of inline bash patterns in skill documentation. This workaround addresses Claude Code issue #12781, where !`` patterns inside fenced code blocks are executed when skills are loaded.

Current state:

Audit finding:
One potentially unescaped pattern remains:

  • plugins/plugin-dev/skills/command-development/references/testing-strategies.md:680

Suggested Improvement

Add a security section documenting the workaround:

## Security: Inline Bash Pattern Escaping

Due to [Claude Code issue #12781](https://github.com/anthropics/claude-code/issues/12781), 
inline bash execution patterns (`!`\`...\``) inside fenced code blocks are executed when 
skills are loaded—even as documentation examples.

**Mitigation:** Replace `!` with `[BANG]` in all skill documentation that shows example 
bash patterns:

\`\`\`bash
# UNSAFE - will execute during skill load
!`gh pr view $1`

# SAFE - displays as documentation only  
[BANG]`gh pr view $1`
\`\`\`

**Affected files to audit when adding new documentation:**
- skills/*/SKILL.md
- skills/*/references/*.md
- skills/*/examples/*.md

Type of issue

  • Missing information
  • Security documentation

Additional Context

Related to CHANGELOG entry: "Replace ! with [BANG] placeholder in skill documentation to prevent shell interpretation issues (#142)"

Tasks:

  • Add security documentation section
  • Audit all markdown files: grep -rn '!\' plugins/plugin-dev/skills/ --include='*.md' | grep -v '[BANG]'`
  • Fix any remaining unescaped patterns
  • Consider adding CI check to prevent reintroduction

Metadata

Metadata

Assignees

Labels

component:docsDocumentation filescomponent:skillSkills layerdocumentationImprovements or additions to documentationeffort:medium1-4 hourspriority:highImportant but not blockingpriority:mediumShould be addressedsecuritySecurity-related

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions