opencode-skills-collection 3.1.4 → 3.1.6

package/bundled-skills/skill-installer/scripts/install_skill.py

@@ -126,8 +126,37 @@ def sanitize_name(name: str) -> str:
     return name.strip("-")
 
 
+def safe_child_path(root: Path, *parts: str) -> Path:
+    """Resolve a child path and ensure it remains under root."""
+    root = root.resolve()
+    child = root.joinpath(*parts).resolve()
+    try:
+        child.relative_to(root)
+    except ValueError as exc:
+        raise ValueError(f"Path escapes {root}: {child}") from exc
+    return child
+
+
+def safe_skill_path(root: Path, skill_name: str) -> Path:
+    """Build a path from a sanitized skill name under a trusted root."""
+    clean_name = sanitize_name(skill_name)
+    if not clean_name:
+        raise ValueError("Invalid empty skill name")
+    return safe_child_path(root, clean_name)
+
+
+def resolve_skill_source(source: str) -> Path:
+    """Resolve and validate a local skill source directory."""
+    source_path = Path(source).expanduser().resolve()
+    if not source_path.is_dir():
+        raise ValueError(f"Source does not exist or is not a directory: {source_path}")
+    if not (source_path / "SKILL.md").is_file():
+        raise ValueError(f"No SKILL.md found in {source_path}")
+    return source_path
+
+
 def md5_dir(path: Path, exclude_dirs: set = None) -> str:
-    """Compute combined MD5 hash of all files in a directory.
+    """Compute combined SHA-256 hash of all files in a directory.
 
     Excludes backup/staging dirs and normalizes paths to forward slashes
     for cross-platform consistency.
@@ -135,17 +164,23 @@ def md5_dir(path: Path, exclude_dirs: set = None) -> str:
     if exclude_dirs is None:
         exclude_dirs = {"backups", "staging", ".git", "__pycache__", "node_modules", ".venv"}
 
-    h = hashlib.md5()
-    for root, dirs, files in os.walk(path):
+    root_path = Path(path).resolve(strict=True)
+    if not root_path.is_dir():
+        raise ValueError(f"Hash target must be a directory: {root_path}")
+
+    h = hashlib.sha256()
+    for root, dirs, files in os.walk(root_path, followlinks=False):
         # Filter out excluded directories
         dirs[:] = [d for d in dirs if d not in exclude_dirs]
         for f in sorted(files):
             fp = Path(root) / f
             try:
+                resolved_fp = fp.resolve(strict=True)
+                resolved_fp.relative_to(root_path)
                 # Normalize to forward slashes for consistent hashing
-                rel = fp.relative_to(path).as_posix()
+                rel = resolved_fp.relative_to(root_path).as_posix()
                 h.update(rel.encode("utf-8"))
-                with open(fp, "rb") as fh:
+                with resolved_fp.open("rb") as fh:
                     for chunk in iter(lambda: fh.read(8192), b""):
                         h.update(chunk)
             except Exception:
@@ -262,11 +297,10 @@ def get_all_skill_dirs() -> list:
 def step1_resolve_source(source: str = None, do_detect: bool = False, auto: bool = False) -> dict:
     """STEP 1: Resolve source directory."""
     if source:
-        source_path = Path(source).resolve()
-        if not source_path.exists():
-            return {"success": False, "error": f"Source does not exist: {source_path}"}
-        if not (source_path / "SKILL.md").exists():
-            return {"success": False, "error": f"No SKILL.md found in {source_path}"}
+        try:
+            source_path = resolve_skill_source(source)
+        except ValueError as e:
+            return {"success": False, "error": str(e)}
         return {"success": True, "sources": [str(source_path)]}
 
     if do_detect:
@@ -316,8 +350,8 @@ def step3_determine_name(source_path: Path, name_override: str = None) -> str:
 
 def step4_check_conflicts(skill_name: str) -> dict:
     """STEP 4: Check for existing skill with same name."""
-    dest = SKILLS_ROOT / skill_name
-    claude_dest = CLAUDE_SKILLS / skill_name
+    dest = safe_skill_path(SKILLS_ROOT, skill_name)
+    claude_dest = safe_skill_path(CLAUDE_SKILLS, skill_name)
 
     conflicts = []
     if dest.exists():
@@ -339,6 +373,8 @@ def _backup_ignore(directory, contents):
     dir_path = Path(directory)
     for item in contents:
         item_path = dir_path / item
+        if item_path.is_symlink():
+            ignored.add(item)
         # Skip backup and staging directories to prevent recursion
         if item in ("backups", "staging") and dir_path.name == "data":
             ignored.add(item)
@@ -350,10 +386,10 @@ def _backup_ignore(directory, contents):
 
 def step5_backup(skill_name: str) -> dict:
     """STEP 5: Backup existing skill before overwrite."""
-    dest = SKILLS_ROOT / skill_name
+    dest = safe_skill_path(SKILLS_ROOT, skill_name)
     timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
     backup_name = f"{skill_name}_{timestamp}"
-    backup_path = BACKUPS_DIR / backup_name
+    backup_path = safe_child_path(BACKUPS_DIR, backup_name)
 
     BACKUPS_DIR.mkdir(parents=True, exist_ok=True)
 
@@ -366,7 +402,7 @@ def step5_backup(skill_name: str) -> dict:
         except Exception as e:
             return {"success": False, "error": f"Backup failed for {dest}: {e}"}
 
-    claude_dest = CLAUDE_SKILLS / skill_name
+    claude_dest = safe_skill_path(CLAUDE_SKILLS, skill_name)
     if claude_dest.exists():
         claude_backup = backup_path / ".claude-registration"
         claude_backup.mkdir(parents=True, exist_ok=True)
@@ -388,8 +424,9 @@ def step5_backup(skill_name: str) -> dict:
 
 def step6_copy_to_skills_root(source_path: Path, skill_name: str) -> dict:
     """STEP 6: Copy to skills root via staging area."""
-    dest = SKILLS_ROOT / skill_name
-    staging = STAGING_DIR / skill_name
+    source_path = resolve_skill_source(str(source_path))
+    dest = safe_skill_path(SKILLS_ROOT, skill_name)
+    staging = safe_skill_path(STAGING_DIR, skill_name)
 
     STAGING_DIR.mkdir(parents=True, exist_ok=True)
 
@@ -448,8 +485,9 @@ def step6_copy_to_skills_root(source_path: Path, skill_name: str) -> dict:
 
 def step7_register_claude(skill_name: str) -> dict:
     """STEP 7: Register in .claude/skills/ for native Claude Code discovery."""
-    source_skill_md = SKILLS_ROOT / skill_name / "SKILL.md"
-    claude_dest_dir = CLAUDE_SKILLS / skill_name
+    source_dir = safe_skill_path(SKILLS_ROOT, skill_name)
+    source_skill_md = source_dir / "SKILL.md"
+    claude_dest_dir = safe_skill_path(CLAUDE_SKILLS, skill_name)
 
     if not source_skill_md.exists():
         return {"success": False, "error": f"SKILL.md not found at {source_skill_md}"}
@@ -463,7 +501,7 @@ def step7_register_claude(skill_name: str) -> dict:
         return {"success": False, "error": f"Failed to copy SKILL.md to Claude skills: {e}"}
 
     # Also copy references/ if it exists (useful for Claude to read)
-    refs_dir = SKILLS_ROOT / skill_name / "references"
+    refs_dir = source_dir / "references"
     if refs_dir.exists():
         claude_refs = claude_dest_dir / "references"
         try:
@@ -520,7 +558,7 @@ def step9_verify(skill_name: str) -> dict:
     checks = []
 
     # Check 1: Skill directory exists
-    dest = SKILLS_ROOT / skill_name
+    dest = safe_skill_path(SKILLS_ROOT, skill_name)
     checks.append({
         "check": "skill_dir_exists",
         "pass": dest.exists(),
@@ -551,7 +589,7 @@ def step9_verify(skill_name: str) -> dict:
     })
 
     # Check 4: Claude Code registration
-    claude_skill_md = CLAUDE_SKILLS / skill_name / "SKILL.md"
+    claude_skill_md = safe_skill_path(CLAUDE_SKILLS, skill_name) / "SKILL.md"
     checks.append({
         "check": "claude_registered",
         "pass": claude_skill_md.exists(),
@@ -590,7 +628,7 @@ def step10_log(skill_name: str, source: str, result: dict):
         "action": "install",
         "skill_name": skill_name,
         "source": source,
-        "destination": str(SKILLS_ROOT / skill_name),
+        "destination": str(safe_skill_path(SKILLS_ROOT, skill_name)),
         "registered": result.get("registered", False),
         "registry_updated": result.get("registry_updated", False),
         "backup_path": result.get("backup_path"),
@@ -625,7 +663,6 @@ def install_single(
         dry_run: If True, simulate all steps without writing anything.
         verbose: If True, print step-by-step progress to stdout.
     """
-    source = Path(source_path).resolve()
     total_steps = 11
     result = {
         "success": False,
@@ -646,10 +683,12 @@ def install_single(
     # STEP 1: Already resolved (source is provided)
     if verbose:
         _step(1, total_steps, "Resolving source...")
-    if not source.exists() or not (source / "SKILL.md").exists():
-        result["error"] = f"Invalid source: {source}"
+    try:
+        source = resolve_skill_source(source_path)
+    except ValueError as e:
+        result["error"] = str(e)
         if verbose:
-            _fail(f"Source invalid: {source}")
+            _fail(str(e))
         return result
 
     result["steps"]["1_resolve"] = {"success": True, "source": str(source)}
@@ -696,7 +735,7 @@ def install_single(
     # Version comparison with installed
     source_meta = parse_yaml_frontmatter(source / "SKILL.md")
     source_version = source_meta.get("version", "")
-    dest = SKILLS_ROOT / skill_name
+    dest = safe_skill_path(SKILLS_ROOT, skill_name)
     if dest.exists() and (dest / "SKILL.md").exists():
         installed_meta = parse_yaml_frontmatter(dest / "SKILL.md")
         installed_version = installed_meta.get("version", "")
@@ -879,7 +918,7 @@ def install_single(
         zip_result = {"success": False, "skipped": True}
         try:
             from package_skill import package_skill as pkg_skill
-            zip_result = pkg_skill(SKILLS_ROOT / skill_name)
+            zip_result = pkg_skill(safe_skill_path(SKILLS_ROOT, skill_name))
             result["steps"]["10_package"] = zip_result
             result["zip_path"] = zip_result.get("zip_path") if zip_result["success"] else None
             if verbose:
@@ -936,8 +975,8 @@ def uninstall_skill(skill_name: str, keep_backup: bool = True) -> dict:
         "backup_path": None,
     }
 
-    dest = SKILLS_ROOT / skill_name
-    claude_dest = CLAUDE_SKILLS / skill_name
+    dest = safe_skill_path(SKILLS_ROOT, skill_name)
+    claude_dest = safe_skill_path(CLAUDE_SKILLS, skill_name)
 
     if not dest.exists() and not claude_dest.exists():
         result["error"] = f"Skill '{skill_name}' not found in any location"
@@ -946,7 +985,7 @@ def uninstall_skill(skill_name: str, keep_backup: bool = True) -> dict:
     # Backup before removing
     if keep_backup and dest.exists():
         timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
-        backup_path = BACKUPS_DIR / f"{skill_name}_{timestamp}"
+        backup_path = safe_child_path(BACKUPS_DIR, f"{skill_name}_{timestamp}")
         BACKUPS_DIR.mkdir(parents=True, exist_ok=True)
         try:
             shutil.copytree(dest, backup_path, dirs_exist_ok=True)
@@ -976,7 +1015,7 @@ def uninstall_skill(skill_name: str, keep_backup: bool = True) -> dict:
     registry_result = step8_update_registry()
 
     # Remove ZIP from Desktop if exists
-    zip_path = Path(os.path.expanduser("~")) / "Desktop" / f"{skill_name}.zip"
+    zip_path = safe_child_path(Path(os.path.expanduser("~")) / "Desktop", f"{skill_name}.zip")
     if zip_path.exists():
         try:
             zip_path.unlink()
@@ -1267,7 +1306,7 @@ def rollback_skill(skill_name: str, verbose: bool = True) -> dict:
         print(f"  Backup: {latest_backup.name} ({timestamp})")
 
     # Restore to skills root
-    dest = SKILLS_ROOT / skill_name
+    dest = safe_skill_path(SKILLS_ROOT, skill_name)
     if verbose:
         _step(1, 3, "Restoring from backup...")
 

package/bundled-skills/skill-installer/scripts/package_skill.py

@@ -46,6 +46,23 @@ EXCLUDE_EXTENSIONS = {
     ".pyc", ".pyo", ".db", ".sqlite", ".sqlite3",
     ".log", ".tmp", ".bak",
 }
+SAFE_ARCHIVE_NAME_RE = re.compile(r"^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$")
+
+
+def resolve_existing_dir(path) -> Path:
+    """Resolve a user-provided directory and require it to exist."""
+    resolved = Path(path).expanduser().resolve()
+    if not resolved.is_dir():
+        raise ValueError(f"Directory not found: {resolved}")
+    return resolved
+
+
+def resolve_output_dir(path) -> Path:
+    """Resolve a user-provided output directory."""
+    resolved = Path(path).expanduser().resolve()
+    if resolved.exists() and not resolved.is_dir():
+        raise ValueError(f"Output path is not a directory: {resolved}")
+    return resolved
 
 
 # ── YAML Frontmatter Parser ───────────────────────────────────────────────
@@ -131,6 +148,12 @@ def validate_for_web(skill_dir: Path) -> dict:
 
 def should_include(file_path: Path, skill_dir: Path) -> bool:
     """Check if a file should be included in the ZIP."""
+    if file_path.is_symlink():
+        return False
+    try:
+        file_path.resolve(strict=True).relative_to(skill_dir.resolve(strict=True))
+    except (OSError, ValueError):
+        return False
     rel = file_path.relative_to(skill_dir)
 
     # Check directory exclusions
@@ -163,10 +186,10 @@ def package_skill(skill_dir: Path, output_dir: Path = None) -> dict:
               ├── references/
               └── ...
     """
-    skill_dir = Path(skill_dir).resolve()
-
-    if not skill_dir.exists():
-        return {"success": False, "error": f"Directory not found: {skill_dir}"}
+    try:
+        skill_dir = resolve_existing_dir(skill_dir)
+    except ValueError as e:
+        return {"success": False, "error": str(e)}
 
     # Validate
     validation = validate_for_web(skill_dir)
@@ -179,11 +202,16 @@ def package_skill(skill_dir: Path, output_dir: Path = None) -> dict:
 
     skill_name = validation["name"] or skill_dir.name
     skill_name_lower = skill_name.lower()
+    if not SAFE_ARCHIVE_NAME_RE.fullmatch(skill_name_lower):
+        return {"success": False, "error": f"Unsafe archive skill name: {skill_name}"}
 
     # Determine output path
     if output_dir is None:
         output_dir = DEFAULT_OUTPUT
-    output_dir = Path(output_dir).resolve()
+    try:
+        output_dir = resolve_output_dir(output_dir)
+    except ValueError as e:
+        return {"success": False, "error": str(e)}
     output_dir.mkdir(parents=True, exist_ok=True)
 
     zip_path = output_dir / f"{skill_name_lower}.zip"
@@ -382,10 +410,10 @@ def main():
     if "--output" in args:
         idx = args.index("--output")
         if idx + 1 < len(args):
-            output_dir = Path(args[idx + 1])
+            output_dir = resolve_output_dir(args[idx + 1])
 
     if do_verify:
-        result = verify_zips(Path(output_dir) if output_dir else None)
+        result = verify_zips(output_dir if output_dir else None)
         print(json.dumps(result, indent=2, ensure_ascii=False))
         sys.exit(0 if result["invalid"] == 0 else 1)
 
@@ -404,7 +432,7 @@ def main():
         sys.exit(1)
 
     if source:
-        result = package_skill(Path(source), output_dir)
+        result = package_skill(source, output_dir)
         print(json.dumps(result, indent=2, ensure_ascii=False))
         sys.exit(0 if result["success"] else 1)
     elif do_all:

package/bundled-skills/skill-installer/scripts/validate_skill.py

@@ -41,6 +41,14 @@ SKILLS_ROOT = Path(r"C:\Users\renat\skills")
 REGISTRY_PATH = SKILLS_ROOT / "agent-orchestrator" / "data" / "registry.json"
 
 
+def resolve_existing_dir(path) -> Path:
+    """Resolve a user-provided directory and require it to exist."""
+    resolved = Path(path).expanduser().resolve()
+    if not resolved.is_dir():
+        raise ValueError(f"Directory does not exist: {resolved}")
+    return resolved
+
+
 # ── YAML Frontmatter Parser ───────────────────────────────────────────────
 
 def parse_yaml_frontmatter(path: Path) -> dict:
@@ -347,15 +355,15 @@ def validate(skill_dir: Path, strict: bool = False, registry_path: Path = None)
     if registry_path is None:
         registry_path = REGISTRY_PATH
 
-    skill_dir = Path(skill_dir).resolve()
-
-    if not skill_dir.exists():
+    try:
+        skill_dir = resolve_existing_dir(skill_dir)
+    except ValueError as e:
         return {
             "valid": False,
-            "skill_dir": str(skill_dir),
+            "skill_dir": str(Path(skill_dir).expanduser()),
             "checks": [],
             "warnings": [],
-            "errors": [f"Directory does not exist: {skill_dir}"],
+            "errors": [str(e)],
         }
 
     # Parse frontmatter once
@@ -411,14 +419,21 @@ def main():
         }, indent=2))
         sys.exit(1)
 
-    skill_dir = Path(sys.argv[1]).resolve()
+    try:
+        skill_dir = resolve_existing_dir(sys.argv[1])
+    except ValueError as e:
+        print(json.dumps({
+            "valid": False,
+            "error": str(e),
+        }, indent=2))
+        sys.exit(1)
     strict = "--strict" in sys.argv
     registry_path = None
 
     if "--registry" in sys.argv:
         idx = sys.argv.index("--registry")
         if idx + 1 < len(sys.argv):
-            registry_path = Path(sys.argv[idx + 1])
+            registry_path = Path(sys.argv[idx + 1]).expanduser().resolve()
 
     result = validate(skill_dir, strict=strict, registry_path=registry_path)
     print(json.dumps(result, indent=2, ensure_ascii=False))

package/bundled-skills/skill-sentinel/scripts/db.py

@@ -116,6 +116,66 @@ CREATE INDEX IF NOT EXISTS idx_history_time      ON score_history (recorded_at);
 CREATE INDEX IF NOT EXISTS idx_action_log_time   ON action_log (created_at);
 """
 
+_SKILL_SNAPSHOT_COLUMNS = frozenset({
+    "audit_run_id", "skill_name", "skill_path", "version", "file_count",
+    "line_count", "overall_score", "code_quality", "security", "performance",
+    "governance", "documentation", "dependencies", "raw_metrics", "created_at",
+})
+_FINDING_COLUMNS = frozenset({
+    "audit_run_id", "skill_name", "dimension", "severity", "category", "title",
+    "description", "file_path", "line_number", "recommendation", "effort",
+    "impact", "created_at",
+})
+_RECOMMENDATION_COLUMNS = frozenset({
+    "audit_run_id", "suggested_name", "rationale", "capabilities", "priority",
+    "skill_md_draft", "created_at",
+})
+_SKILL_SNAPSHOT_INSERT_COLUMNS = (
+    "audit_run_id", "skill_name", "skill_path", "version", "file_count",
+    "line_count", "overall_score", "code_quality", "security", "performance",
+    "governance", "documentation", "dependencies", "raw_metrics",
+)
+_FINDING_INSERT_COLUMNS = (
+    "audit_run_id", "skill_name", "dimension", "severity", "category", "title",
+    "description", "file_path", "line_number", "recommendation", "effort",
+    "impact",
+)
+_RECOMMENDATION_INSERT_COLUMNS = (
+    "audit_run_id", "suggested_name", "rationale", "capabilities", "priority",
+    "skill_md_draft",
+)
+_INSERT_SKILL_SNAPSHOT_SQL = """
+INSERT INTO skill_snapshots (
+    audit_run_id, skill_name, skill_path, version, file_count, line_count,
+    overall_score, code_quality, security, performance, governance,
+    documentation, dependencies, raw_metrics
+) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+"""
+_INSERT_FINDING_SQL = """
+INSERT INTO findings (
+    audit_run_id, skill_name, dimension, severity, category, title,
+    description, file_path, line_number, recommendation, effort, impact
+) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+"""
+_INSERT_RECOMMENDATION_SQL = """
+INSERT INTO skill_recommendations (
+    audit_run_id, suggested_name, rationale, capabilities, priority, skill_md_draft
+) VALUES (?, ?, ?, ?, ?, ?)
+"""
+
+
+def _quote_identifier(name: str, allowed: frozenset[str]) -> str:
+    if name not in allowed:
+        raise ValueError(f"Invalid column name: {name}")
+    return '"' + name.replace('"', '""') + '"'
+
+
+def _filter_allowed_columns(data: Dict[str, Any], allowed: frozenset[str]) -> Dict[str, Any]:
+    filtered = {k: v for k, v in data.items() if k in allowed}
+    if not filtered:
+        raise ValueError("No valid columns provided")
+    return filtered
+
 
 class Database:
     def __init__(self, db_path: Path = DB_PATH):
@@ -185,12 +245,10 @@ class Database:
         data["audit_run_id"] = run_id
         if "raw_metrics" in data and isinstance(data["raw_metrics"], dict):
             data["raw_metrics"] = json.dumps(data["raw_metrics"], ensure_ascii=False)
-        keys = list(data.keys())
-        placeholders = ", ".join(f":{k}" for k in keys)
-        columns = ", ".join(keys)
-        sql = f"INSERT INTO skill_snapshots ({columns}) VALUES ({placeholders})"
+        data = _filter_allowed_columns(data, _SKILL_SNAPSHOT_COLUMNS)
+        values = [data.get(column) for column in _SKILL_SNAPSHOT_INSERT_COLUMNS]
         with self._connect() as conn:
-            cursor = conn.execute(sql, data)
+            cursor = conn.execute(_INSERT_SKILL_SNAPSHOT_SQL, values)
             return cursor.lastrowid
 
     def get_snapshots_for_run(self, run_id: int) -> List[Dict[str, Any]]:
@@ -216,12 +274,10 @@ class Database:
     def insert_finding(self, run_id: int, data: Dict[str, Any]) -> int:
         """Insere um finding. Retorna o id."""
         data["audit_run_id"] = run_id
-        keys = list(data.keys())
-        placeholders = ", ".join(f":{k}" for k in keys)
-        columns = ", ".join(keys)
-        sql = f"INSERT INTO findings ({columns}) VALUES ({placeholders})"
+        data = _filter_allowed_columns(data, _FINDING_COLUMNS)
+        values = [data.get(column) for column in _FINDING_INSERT_COLUMNS]
         with self._connect() as conn:
-            cursor = conn.execute(sql, data)
+            cursor = conn.execute(_INSERT_FINDING_SQL, values)
             return cursor.lastrowid
 
     def insert_findings_batch(self, run_id: int, findings: List[Dict[str, Any]]) -> int:
@@ -269,12 +325,10 @@ class Database:
         data["audit_run_id"] = run_id
         if "capabilities" in data and isinstance(data["capabilities"], list):
             data["capabilities"] = json.dumps(data["capabilities"], ensure_ascii=False)
-        keys = list(data.keys())
-        placeholders = ", ".join(f":{k}" for k in keys)
-        columns = ", ".join(keys)
-        sql = f"INSERT INTO skill_recommendations ({columns}) VALUES ({placeholders})"
+        data = _filter_allowed_columns(data, _RECOMMENDATION_COLUMNS)
+        values = [data.get(column) for column in _RECOMMENDATION_INSERT_COLUMNS]
         with self._connect() as conn:
-            cursor = conn.execute(sql, data)
+            cursor = conn.execute(_INSERT_RECOMMENDATION_SQL, values)
             return cursor.lastrowid
 
     def get_recommendations_for_run(self, run_id: int) -> List[Dict[str, Any]]:

package/bundled-skills/slack-gif-creator/requirements.txt

@@ -1,4 +1,5 @@
-pillow>=10.0.0
+pillow>=12.2.0
 imageio>=2.31.0
 imageio-ffmpeg>=0.4.9
-numpy>=1.24.0
+numpy>=1.24.0
+setuptools>=78.1.1

package/bundled-skills/stability-ai/scripts/requirements.txt

@@ -1,4 +1,4 @@
 # Stability AI Skill - Dependencies
 # Instalacao: pip install -r requirements.txt
 
-Pillow>=10.0.0
+Pillow>=12.2.0

package/bundled-skills/telegram/assets/boilerplate/nodejs/src/bot-client.ts

@@ -19,6 +19,7 @@ export class TelegramBotClient {
 
   async startWebhook(port: number, webhookUrl: string, secret?: string): Promise<void> {
     const app = express();
+    app.disable('x-powered-by');
     app.use(express.json());
 
     app.post('/webhook', async (req, res) => {

package/bundled-skills/telegram/assets/boilerplate/python/requirements.txt

@@ -1,4 +1,6 @@
 python-telegram-bot>=21.0
 python-dotenv>=1.0.0
 flask>=3.0.0
-requests>=2.31.0
+requests>=2.33.0
+urllib3>=2.7.0
+idna>=3.15

package/bundled-skills/telegram/scripts/send_message.py

@@ -10,11 +10,21 @@ Usage:
 """
 
 import argparse
+import http.client
 import json
 import os
+import re
 import sys
-from urllib.request import urlopen, Request
-from urllib.error import HTTPError
+from urllib.parse import urlparse
+
+ALLOWED_METHODS = {
+    "sendMessage",
+    "sendPhoto",
+    "sendDocument",
+    "sendLocation",
+    "sendPoll",
+}
+BOT_TOKEN_RE = re.compile(r"^\d{6,20}:[A-Za-z0-9_-]{20,}$")
 
 
 def _mask_token(token: str) -> str:
@@ -24,18 +34,38 @@ def _mask_token(token: str) -> str:
     return f"{token[:8]}...masked"
 
 
+def _safe_api_url(token: str, method: str) -> str:
+    if not BOT_TOKEN_RE.match(token or ""):
+        raise ValueError("Invalid Telegram bot token format")
+    if method not in ALLOWED_METHODS:
+        raise ValueError(f"Unsupported Telegram method: {method}")
+    url = f"https://api.telegram.org/bot{token}/{method}"
+    parsed = urlparse(url)
+    if parsed.scheme != "https" or parsed.hostname != "api.telegram.org":
+        raise ValueError("Refusing unsafe Telegram API URL")
+    return url
+
+
+def _safe_api_path(token: str, method: str) -> str:
+    _safe_api_url(token, method)
+    return f"/bot{token}/{method}"
+
+
 def api_call(token: str, method: str, data: dict) -> dict:
     """Make a Telegram Bot API call."""
-    url = f"https://api.telegram.org/bot{token}/{method}"
+    api_path = _safe_api_path(token, method)
     payload = json.dumps(data).encode("utf-8")
-    req = Request(url, data=payload, headers={"Content-Type": "application/json"})
+    headers = {"Content-Type": "application/json"}
+    conn = http.client.HTTPSConnection("api.telegram.org", timeout=30)
 
     try:
-        with urlopen(req, timeout=30) as resp:
-            return json.loads(resp.read().decode())
-    except HTTPError as e:
-        error_body = json.loads(e.read().decode())
-        return error_body
+        conn.request("POST", api_path, body=payload, headers=headers)
+        resp = conn.getresponse()
+        body = resp.read().decode()
+        parsed = json.loads(body)
+        return parsed
+    finally:
+        conn.close()
 
 
 def send_text(token: str, chat_id: str, text: str, parse_mode: str = None,