@blamejs/exceptd-skills 0.16.17 → 0.16.18

package/data/_indexes/currency.json

@@ -6,7 +6,7 @@
     "decay_formula": "100 base; -30/-20/-10/-5 at 180/90/60/30-day thresholds. forward_watch count does NOT affect the score (it's a maintenance signal, not a staleness one). Label thresholds: ≥90 current, ≥70 acceptable, ≥50 stale, <50 critical_stale."
   },
   "summary": {
-    "current": 49,
+    "current": 50,
     "acceptable": 0,
     "stale": 0,
     "critical_stale": 0,
@@ -229,6 +229,15 @@
       "forward_watch_count": 4,
       "action_required": false
     },
+    {
+      "skill": "log-injection-telemetry",
+      "last_threat_review": "2026-06-02",
+      "days_since_review": -18,
+      "currency_score": 100,
+      "currency_label": "current",
+      "forward_watch_count": 0,
+      "action_required": false
+    },
     {
       "skill": "mail-server-hardening",
       "last_threat_review": "2026-06-02",

package/data/_indexes/frequency.json

@@ -133,10 +133,11 @@
         ]
       },
       "CWE-918": {
-        "count": 6,
+        "count": 7,
         "skills": [
           "api-security",
           "attack-surface-pentest",
+          "log-injection-telemetry",
           "mcp-agent-trust",
           "network-trust",
           "sector-telecom",
@@ -222,12 +223,13 @@
         ]
       },
       "CWE-200": {
-        "count": 7,
+        "count": 8,
         "skills": [
           "age-gates-child-safety",
           "api-security",
           "cloud-security",
           "dlp-gap-analysis",
+          "log-injection-telemetry",
           "sector-healthcare",
           "vc-wallet-trust",
           "webapp-security"
@@ -434,6 +436,18 @@
         "skills": [
           "decompression-dos"
         ]
+      },
+      "CWE-117": {
+        "count": 1,
+        "skills": [
+          "log-injection-telemetry"
+        ]
+      },
+      "CWE-532": {
+        "count": 1,
+        "skills": [
+          "log-injection-telemetry"
+        ]
       }
     },
     "d3fend_refs": {
@@ -619,11 +633,12 @@
     },
     "framework_gaps": {
       "NIST-800-53-SI-2": {
-        "count": 4,
+        "count": 5,
         "skills": [
           "audit-log-integrity",
           "decompression-dos",
           "kernel-lpe-triage",
+          "log-injection-telemetry",
           "mail-server-hardening"
         ]
       },
@@ -1028,9 +1043,10 @@
         ]
       },
       "AU-ISM-1556": {
-        "count": 4,
+        "count": 5,
         "skills": [
           "decompression-dos",
+          "log-injection-telemetry",
           "multitenancy-isolation",
           "sector-telecom",
           "self-update-integrity"
@@ -1196,10 +1212,11 @@
         ]
       },
       "NIS2-Art21-network-security": {
-        "count": 6,
+        "count": 7,
         "skills": [
           "audit-log-integrity",
           "decompression-dos",
+          "log-injection-telemetry",
           "mail-server-hardening",
           "multitenancy-isolation",
           "network-trust",
@@ -1213,18 +1230,20 @@
         ]
       },
       "UK-CAF-B4": {
-        "count": 4,
+        "count": 5,
         "skills": [
           "decompression-dos",
+          "log-injection-telemetry",
           "multitenancy-isolation",
           "network-trust",
           "self-update-integrity"
         ]
       },
       "ISO-27001-2022-A.8.15": {
-        "count": 1,
+        "count": 2,
         "skills": [
-          "audit-log-integrity"
+          "audit-log-integrity",
+          "log-injection-telemetry"
         ]
       },
       "NIST-800-53-SR-11": {
@@ -1468,18 +1487,20 @@
         ]
       },
       "T1530": {
-        "count": 4,
+        "count": 5,
         "skills": [
           "cloud-security",
           "dlp-gap-analysis",
+          "log-injection-telemetry",
           "multitenancy-isolation",
           "sector-healthcare"
         ]
       },
       "T1213": {
-        "count": 1,
+        "count": 2,
         "skills": [
-          "dlp-gap-analysis"
+          "dlp-gap-analysis",
+          "log-injection-telemetry"
         ]
       },
       "T1041": {
@@ -1677,9 +1698,10 @@
         ]
       },
       "T1565.001": {
-        "count": 1,
+        "count": 2,
         "skills": [
-          "audit-log-integrity"
+          "audit-log-integrity",
+          "log-injection-telemetry"
         ]
       },
       "T1562.008": {
@@ -1933,12 +1955,13 @@
       },
       {
         "id": "CWE-200",
-        "count": 7,
+        "count": 8,
         "skills": [
           "age-gates-child-safety",
           "api-security",
           "cloud-security",
           "dlp-gap-analysis",
+          "log-injection-telemetry",
           "sector-healthcare",
           "vc-wallet-trust",
           "webapp-security"
@@ -1970,6 +1993,19 @@
           "webapp-security"
         ]
       },
+      {
+        "id": "CWE-918",
+        "count": 7,
+        "skills": [
+          "api-security",
+          "attack-surface-pentest",
+          "log-injection-telemetry",
+          "mcp-agent-trust",
+          "network-trust",
+          "sector-telecom",
+          "webapp-security"
+        ]
+      },
       {
         "id": "CWE-1188",
         "count": 6,
@@ -2017,18 +2053,6 @@
           "mcp-agent-trust",
           "webapp-security"
         ]
-      },
-      {
-        "id": "CWE-269",
-        "count": 6,
-        "skills": [
-          "attack-surface-pentest",
-          "cloud-iam-incident",
-          "container-runtime-security",
-          "identity-assurance",
-          "idp-incident-response",
-          "webapp-security"
-        ]
       }
     ],
     "d3fend_refs": [
@@ -2164,6 +2188,19 @@
           "webapp-security"
         ]
       },
+      {
+        "id": "NIS2-Art21-network-security",
+        "count": 7,
+        "skills": [
+          "audit-log-integrity",
+          "decompression-dos",
+          "log-injection-telemetry",
+          "mail-server-hardening",
+          "multitenancy-isolation",
+          "network-trust",
+          "self-update-integrity"
+        ]
+      },
       {
         "id": "NIST-800-53-AC-2",
         "count": 7,
@@ -2190,14 +2227,13 @@
         ]
       },
       {
-        "id": "NIS2-Art21-network-security",
-        "count": 6,
+        "id": "AU-ISM-1556",
+        "count": 5,
         "skills": [
-          "audit-log-integrity",
           "decompression-dos",
-          "mail-server-hardening",
+          "log-injection-telemetry",
           "multitenancy-isolation",
-          "network-trust",
+          "sector-telecom",
           "self-update-integrity"
         ]
       },
@@ -2212,6 +2248,17 @@
           "sector-healthcare"
         ]
       },
+      {
+        "id": "NIST-800-53-SI-2",
+        "count": 5,
+        "skills": [
+          "audit-log-integrity",
+          "decompression-dos",
+          "kernel-lpe-triage",
+          "log-injection-telemetry",
+          "mail-server-hardening"
+        ]
+      },
       {
         "id": "SOC2-CC7-anomaly-detection",
         "count": 5,
@@ -2224,12 +2271,13 @@
         ]
       },
       {
-        "id": "AU-ISM-1556",
-        "count": 4,
+        "id": "UK-CAF-B4",
+        "count": 5,
         "skills": [
           "decompression-dos",
+          "log-injection-telemetry",
           "multitenancy-isolation",
-          "sector-telecom",
+          "network-trust",
           "self-update-integrity"
         ]
       },
@@ -2242,26 +2290,6 @@
           "sector-federal-government",
           "supply-chain-integrity"
         ]
-      },
-      {
-        "id": "ISO-27001-2022-A.8.16",
-        "count": 4,
-        "skills": [
-          "ai-c2-detection",
-          "dlp-gap-analysis",
-          "email-security-anti-phishing",
-          "incident-response-playbook"
-        ]
-      },
-      {
-        "id": "ISO-IEC-42001-2023-clause-6.1.2",
-        "count": 4,
-        "skills": [
-          "ai-risk-management",
-          "dlp-gap-analysis",
-          "mlops-security",
-          "threat-modeling-methodology"
-        ]
       }
     ],
     "atlas_refs": [
@@ -2443,6 +2471,17 @@
           "webapp-security"
         ]
       },
+      {
+        "id": "T1530",
+        "count": 5,
+        "skills": [
+          "cloud-security",
+          "dlp-gap-analysis",
+          "log-injection-telemetry",
+          "multitenancy-isolation",
+          "sector-healthcare"
+        ]
+      },
       {
         "id": "T1195.001",
         "count": 4,
@@ -2453,16 +2492,6 @@
           "supply-chain-integrity"
         ]
       },
-      {
-        "id": "T1530",
-        "count": 4,
-        "skills": [
-          "cloud-security",
-          "dlp-gap-analysis",
-          "multitenancy-isolation",
-          "sector-healthcare"
-        ]
-      },
       {
         "id": "T1556",
         "count": 4,
@@ -2620,11 +2649,13 @@
   },
   "orphan_adjacent": {
     "cwe_refs": [
+      "CWE-117",
       "CWE-1333",
       "CWE-20",
       "CWE-327",
       "CWE-353",
       "CWE-409",
+      "CWE-532",
       "CWE-611",
       "CWE-639",
       "CWE-668",
@@ -2656,7 +2687,6 @@
       "FCC-Cyber-Incident-Notification-2024",
       "FedRAMP-IL5-IAM-Federated",
       "GSMA-NESAS-Deployment",
-      "ISO-27001-2022-A.8.15",
       "ISO-27001-2022-A.8.21",
       "ISO-27017-Cloud-IAM",
       "ITU-T-X.805",
@@ -2694,7 +2724,6 @@
       "T1102",
       "T1110",
       "T1133",
-      "T1213",
       "T1505",
       "T1538",
       "T1548.001",
@@ -2703,7 +2732,6 @@
       "T1552.005",
       "T1556.007",
       "T1562.008",
-      "T1565.001",
       "T1566.001",
       "T1566.002",
       "T1566.003",
@@ -2811,7 +2839,6 @@
       "CWE-521",
       "CWE-525",
       "CWE-528",
-      "CWE-532",
       "CWE-539",
       "CWE-540",
       "CWE-547",

package/data/_indexes/handoff-dag.json

@@ -24,6 +24,7 @@
     "idp-incident-response",
     "incident-response-playbook",
     "kernel-lpe-triage",
+    "log-injection-telemetry",
     "mail-server-hardening",
     "mcp-agent-trust",
     "mlops-security",
@@ -527,7 +528,8 @@
     "audit-log-integrity": [],
     "self-update-integrity": [],
     "multitenancy-isolation": [],
-    "decompression-dos": []
+    "decompression-dos": [],
+    "log-injection-telemetry": []
   },
   "in_degree": {
     "age-gates-child-safety": 1,
@@ -554,6 +556,7 @@
     "idp-incident-response": 2,
     "incident-response-playbook": 18,
     "kernel-lpe-triage": 12,
+    "log-injection-telemetry": 0,
     "mail-server-hardening": 0,
     "mcp-agent-trust": 22,
     "mlops-security": 6,
@@ -605,6 +608,7 @@
     "idp-incident-response": 12,
     "incident-response-playbook": 20,
     "kernel-lpe-triage": 6,
+    "log-injection-telemetry": 0,
     "mail-server-hardening": 0,
     "mcp-agent-trust": 7,
     "mlops-security": 10,

package/data/_indexes/jurisdiction-map.json

@@ -25,6 +25,7 @@
       "idp-incident-response",
       "incident-response-playbook",
       "kernel-lpe-triage",
+      "log-injection-telemetry",
       "mail-server-hardening",
       "mcp-agent-trust",
       "mlops-security",
@@ -52,7 +53,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 49
+    "skill_count": 50
   },
   "UK": {
     "skills": [
@@ -79,6 +80,7 @@
       "idp-incident-response",
       "incident-response-playbook",
       "kernel-lpe-triage",
+      "log-injection-telemetry",
       "mcp-agent-trust",
       "mlops-security",
       "multitenancy-isolation",
@@ -105,7 +107,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 47
+    "skill_count": 48
   },
   "AU": {
     "skills": [
@@ -132,6 +134,7 @@
       "idp-incident-response",
       "incident-response-playbook",
       "kernel-lpe-triage",
+      "log-injection-telemetry",
       "mcp-agent-trust",
       "mlops-security",
       "multitenancy-isolation",
@@ -156,7 +159,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 45
+    "skill_count": 46
   },
   "SG": {
     "skills": [

package/data/_indexes/section-offsets.json

@@ -4892,6 +4892,91 @@
           "h3_count": 0
         }
       ]
+    },
+    "log-injection-telemetry": {
+      "path": "skills/log-injection-telemetry/skill.md",
+      "total_bytes": 7725,
+      "total_lines": 81,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 46,
+        "byte_start": 0,
+        "byte_end": 1119
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 50,
+          "byte_start": 1191,
+          "byte_end": 2072,
+          "bytes": 881,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 54,
+          "byte_start": 2072,
+          "byte_end": 2895,
+          "bytes": 823,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 58,
+          "byte_start": 2895,
+          "byte_end": 3660,
+          "bytes": 765,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 62,
+          "byte_start": 3660,
+          "byte_end": 4390,
+          "bytes": 730,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 66,
+          "byte_start": 4390,
+          "byte_end": 5301,
+          "bytes": 911,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 70,
+          "byte_start": 5301,
+          "byte_end": 6137,
+          "bytes": 836,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 74,
+          "byte_start": 6137,
+          "byte_end": 6877,
+          "bytes": 740,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 78,
+          "byte_start": 6877,
+          "byte_end": 7725,
+          "bytes": 848,
+          "h3_count": 0
+        }
+      ]
     }
   }
 }

package/data/_indexes/stale-content.json

@@ -15,7 +15,7 @@
       "severity": "medium",
       "category": "researcher_claim_drift",
       "artifact": "skills/researcher/skill.md",
-      "detail": "claims 41 specialized skills downstream; live count is 48"
+      "detail": "claims 41 specialized skills downstream; live count is 49"
     }
   ]
 }

package/data/_indexes/summary-cards.json

@@ -2257,6 +2257,45 @@
       "last_threat_review": "2026-06-02",
       "path": "skills/decompression-dos/skill.md",
       "handoff_targets": []
+    },
+    "log-injection-telemetry": {
+      "description": "Telemetry-pipeline integrity for mid-2026 — CR/LF log-injection neutralization across every sink, secret/PII redaction before shipping, authenticated metrics endpoints, and exporter destination allowlisting, secret-store credentials, verified TLS, and webhook SSRF guarding",
+      "threat_context_excerpt": "The telemetry pipeline is both an integrity target and a confidentiality leak that \"we centralize all logs\" does not address. Integrity: un-sanitized CR/LF in interpolated log values lets an attacker forge or split log entries — injecting fake lines, breaking the log parser, or hiding their own actions — corrupting the observability record incident response depends on. Confidentiality: secrets and PII logged without a redaction pass persist in every downstream sink (SIEM, cloud log service); an unauthenticated /metrics or debug endpoint leaks internal topology and operational state; exporters ...",
+      "produces": "Report per sink/exporter/endpoint, marking each control enforced / missing / inconclusive (visibility gap). For every missing control, state whether it leaks secrets/PII across sinks, allows forging the audit record, or enables exfil/SSRF from the telemetry process, and whether the surface is internet-reachable. Distinguish a control enforced at a lower layer (a sanitizing collector/sidecar, a private scrape network) from an absent one. Provide the prioritised remediation (neutralize CR/LF + redact per sink, authenticate/private metrics, allowlist exporters with secret-store credentials over v ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-117",
+          "CWE-532",
+          "CWE-918",
+          "CWE-200"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.15",
+          "NIS2-Art21-network-security",
+          "UK-CAF-B4",
+          "AU-ISM-1556"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1565.001",
+          "T1530",
+          "T1213"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 15,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 5,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/log-injection-telemetry/skill.md",
+      "handoff_targets": []
     }
   }
 }