skillscokac 1.1.0 → 1.3.0

package/bin/skillscokac.js

@@ -18,6 +18,45 @@ const VERSION = packageJson.version
 
 const API_BASE_URL = 'https://skills.cokac.com'
 
+// Configuration constants
+const MAX_ZIP_SIZE = 50 * 1024 * 1024 // 50MB
+const MAX_FILE_SIZE = 5 * 1024 * 1024 // 5MB
+const AXIOS_TIMEOUT = 30000 // 30 seconds
+
+/**
+ * Validate skill name for security
+ */
+function validateSkillName(skillName) {
+  if (!skillName || typeof skillName !== 'string') {
+    throw new Error('Invalid skill name')
+  }
+
+  const trimmed = skillName.trim()
+
+  if (trimmed.length === 0) {
+    throw new Error('Skill name cannot be empty')
+  }
+
+  if (trimmed.includes('/') || trimmed.includes('\\')) {
+    throw new Error('Skill name cannot contain path separators')
+  }
+
+  if (trimmed.includes('..')) {
+    throw new Error('Skill name cannot contain ".."')
+  }
+
+  if (trimmed.startsWith('.')) {
+    throw new Error('Skill name cannot start with a dot')
+  }
+
+  // Check for other potentially dangerous characters
+  if (/[<>:"|?*\x00-\x1f]/.test(trimmed)) {
+    throw new Error('Skill name contains invalid characters')
+  }
+
+  return trimmed
+}
+
 /**
  * Parse frontmatter from markdown content
  */
@@ -79,12 +118,16 @@ async function fetchSkill(skillName, options = {}) {
   const spinner = silent ? null : ora(`Searching for skill: ${skillName}`).start()
 
   try {
+    // Validate skill name
+    skillName = validateSkillName(skillName)
+
     // Step 1: Get marketplace data to find postId
     if (spinner) spinner.text = 'Fetching marketplace data...'
     const marketplaceResponse = await axios.get(`${API_BASE_URL}/api/marketplace`, {
       headers: {
         'User-Agent': `skillscokac-cli/${VERSION}`
-      }
+      },
+      timeout: AXIOS_TIMEOUT
     })
 
     const marketplace = marketplaceResponse.data
@@ -125,15 +168,34 @@ async function fetchSkill(skillName, options = {}) {
         responseType: 'arraybuffer',
         headers: {
           'User-Agent': `skillscokac-cli/${VERSION}`
-        }
+        },
+        timeout: AXIOS_TIMEOUT,
+        maxContentLength: MAX_ZIP_SIZE
       }
     )
 
+    // Check ZIP file size
+    const zipSize = zipResponse.data.byteLength
+    if (zipSize > MAX_ZIP_SIZE) {
+      throw new Error(`Skill package too large (${Math.round(zipSize / 1024 / 1024)}MB). Maximum: ${Math.round(MAX_ZIP_SIZE / 1024 / 1024)}MB`)
+    }
+
     // Step 3: Extract ZIP
     if (spinner) spinner.text = 'Extracting files...'
     const zip = new AdmZip(Buffer.from(zipResponse.data))
     const zipEntries = zip.getEntries()
 
+    // Check total uncompressed size
+    let totalSize = 0
+    for (const entry of zipEntries) {
+      if (!entry.isDirectory) {
+        totalSize += entry.header.size
+        if (totalSize > MAX_ZIP_SIZE * 2) {
+          throw new Error('Skill package contains too much data (possible zip bomb)')
+        }
+      }
+    }
+
     // Find SKILL.md
     const skillMdEntry = zipEntries.find(entry =>
       entry.entryName.endsWith('SKILL.md') && !entry.isDirectory
@@ -309,6 +371,14 @@ async function installSkill(skill, installType, options = {}) {
  * Install skill command handler
  */
 async function installSkillCommand(skillName) {
+  // Validate skill name (fetchSkill also validates, but do it early)
+  try {
+    skillName = validateSkillName(skillName)
+  } catch (error) {
+    console.log(chalk.red(`✗ ${error.message}`))
+    process.exit(1)
+  }
+
   // Fetch skill
   const skill = await fetchSkill(skillName)
 
@@ -333,7 +403,8 @@ async function installCollectionCommand(collectionId) {
     const response = await axios.get(`${API_BASE_URL}/api/collections/${collectionId}`, {
       headers: {
         'User-Agent': `skillscokac-cli/${VERSION}`
-      }
+      },
+      timeout: AXIOS_TIMEOUT
     })
 
     const collection = response.data
@@ -468,6 +539,14 @@ function getSkillsFromDirectory(skillsDir) {
  * Remove skill command handler
  */
 async function removeSkillCommand(skillName, force = false) {
+  // Validate skill name
+  try {
+    skillName = validateSkillName(skillName)
+  } catch (error) {
+    console.log(chalk.red(`✗ ${error.message}`))
+    process.exit(1)
+  }
+
   // Check if skill exists in personal and/or project directories
   const personalSkillDir = path.join(os.homedir(), '.claude', 'skills', skillName)
   const projectSkillDir = path.join(process.cwd(), '.claude', 'skills', skillName)
@@ -679,6 +758,14 @@ async function removeAllSkillsCommand(force = false) {
  * Download skill command handler
  */
 async function downloadSkillCommand(skillName, downloadPath) {
+  // Validate skill name (fetchSkill also validates, but do it early)
+  try {
+    skillName = validateSkillName(skillName)
+  } catch (error) {
+    console.log(chalk.red(`✗ ${error.message}`))
+    process.exit(1)
+  }
+
   // Use current directory if no path specified
   if (!downloadPath) {
     downloadPath = process.cwd()
@@ -847,7 +934,7 @@ async function listInstalledSkillsCommand() {
 /**
  * Create skill on SkillsCokac API
  */
-async function createSkill(skillData, apiKey) {
+async function createSkill(skillData, apiKey, silent = false) {
   const payload = {
     type: 'SKILL',
     title: skillData.name,
@@ -858,31 +945,31 @@ async function createSkill(skillData, apiKey) {
     tags: skillData.tags || ['claude-code', 'agent-skill']
   }
 
-  const spinner = ora('Creating skill on SkillsCokac...').start()
-
   try {
     const response = await axios.post(`${API_BASE_URL}/api/posts`, payload, {
       headers: {
         'Authorization': `Bearer ${apiKey}`,
         'Content-Type': 'application/json',
         'User-Agent': `skillscokac-cli/${VERSION}`
-      }
+      },
+      timeout: AXIOS_TIMEOUT
     })
 
-    spinner.succeed(chalk.green('Skill created successfully!'))
-    const skill = response.data
-    console.log(chalk.dim('  ID: ') + chalk.cyan(skill.id))
-    console.log(chalk.dim('  URL: ') + chalk.cyan(`https://skills.cokac.com/s/${skill.id}`))
-    console.log()
-
-    return skill
+    return response.data
   } catch (error) {
-    spinner.fail(chalk.red('Failed to create skill'))
-    if (error.response) {
-      console.error(chalk.red('  Status:'), error.response.status)
-      console.error(chalk.red('  Response:'), error.response.data)
-    } else {
-      console.error(chalk.red('  Error:'), error.message)
+    // Handle 409 Conflict (skill name already exists)
+    if (error.response && error.response.status === 409) {
+      if (!silent) {
+        console.log(chalk.red('✗ Skill name already exists. Please choose a different name.'))
+      }
+    } else if (!silent) {
+      console.log(chalk.red('✗ Failed to create skill'))
+      if (error.response) {
+        console.error(chalk.red('  Status:'), error.response.status)
+        console.error(chalk.red('  Response:'), error.response.data)
+      } else {
+        console.error(chalk.red('  Error:'), error.message)
+      }
     }
     throw error
   }
@@ -891,9 +978,7 @@ async function createSkill(skillData, apiKey) {
 /**
  * Upload skill files to SkillsCokac API
  */
-async function uploadSkillFiles(skillId, skillDir, apiKey) {
-  const spinner = ora('Uploading additional files...').start()
-
+async function uploadSkillFiles(skillId, skillDir, apiKey, silent = false) {
   let uploadedCount = 0
   let failedCount = 0
   const files = []
@@ -932,21 +1017,27 @@ async function uploadSkillFiles(skillId, skillDir, apiKey) {
     findFiles(skillDir, skillDir)
 
     if (files.length === 0) {
-      spinner.succeed(chalk.green('No additional files to upload'))
-      return
+      return { uploadedCount: 0, failedCount: 0 }
     }
 
-    spinner.text = `Found ${files.length} file${files.length !== 1 ? 's' : ''} to upload...`
-
     for (const file of files) {
       try {
+        // Check file size before reading
+        const stats = fs.statSync(file.fullPath)
+        if (stats.size > MAX_FILE_SIZE) {
+          if (!silent) {
+            console.warn(chalk.yellow(`⚠ Skipping large file (${Math.round(stats.size / 1024 / 1024)}MB): ${file.relativePath}`))
+          }
+          failedCount++
+          continue
+        }
+
         // Try to read as text
         let content
         try {
           content = fs.readFileSync(file.fullPath, 'utf8')
         } catch (err) {
           // Skip binary files
-          spinner.warn(chalk.yellow(`  Skipping binary file: ${file.relativePath}`))
           continue
         }
 
@@ -955,8 +1046,6 @@ async function uploadSkillFiles(skillId, skillDir, apiKey) {
           content: content
         }
 
-        spinner.text = `Uploading: ${file.relativePath}`
-
         const response = await axios.post(
           `${API_BASE_URL}/api/posts/${skillId}/files`,
           filePayload,
@@ -965,7 +1054,8 @@ async function uploadSkillFiles(skillId, skillDir, apiKey) {
               'Authorization': `Bearer ${apiKey}`,
               'Content-Type': 'application/json',
               'User-Agent': `skillscokac-cli/${VERSION}`
-            }
+            },
+            timeout: AXIOS_TIMEOUT
           }
         )
 
@@ -976,22 +1066,14 @@ async function uploadSkillFiles(skillId, skillDir, apiKey) {
         }
       } catch (error) {
         failedCount++
-        console.error(chalk.red(`\n  ✗ Failed to upload: ${file.relativePath}`))
-        if (error.response) {
-          console.error(chalk.red('    Status:'), error.response.status)
-        }
       }
     }
 
-    if (failedCount === 0) {
-      spinner.succeed(chalk.green(`Uploaded ${uploadedCount} file${uploadedCount !== 1 ? 's' : ''}`))
-    } else {
-      spinner.warn(chalk.yellow(`Uploaded ${uploadedCount}, Failed ${failedCount}`))
-    }
-    console.log()
-
+    return { uploadedCount, failedCount }
   } catch (error) {
-    spinner.fail(chalk.red('Failed to upload files'))
+    if (!silent) {
+      console.error(chalk.red('Failed to upload files'))
+    }
     throw error
   }
 }
@@ -1027,21 +1109,10 @@ async function uploadSkillCommand(skillDir, apiKey) {
     process.exit(1)
   }
 
-  console.log(boxen(
-    chalk.bold.cyan('SkillsCokac Skill Uploader'),
-    {
-      padding: { top: 0, bottom: 0, left: 1, right: 1 },
-      borderStyle: 'round',
-      borderColor: 'cyan'
-    }
-  ))
-  console.log()
-  console.log(chalk.dim('  Directory: ') + chalk.white(resolvedSkillDir))
-  console.log()
-
+  let spinner
   try {
     // Step 1: Parse SKILL.md
-    const spinner = ora('Parsing SKILL.md...').start()
+    spinner = ora('Uploading skill...').start()
     const skillMdContent = fs.readFileSync(skillMdPath, 'utf8')
     const { metadata } = parseFrontmatter(skillMdContent)
 
@@ -1063,31 +1134,27 @@ async function uploadSkillCommand(skillDir, apiKey) {
       tags: ['claude-code', 'agent-skill']
     }
 
-    spinner.succeed(chalk.green('SKILL.md parsed'))
-    console.log(chalk.dim('  Name: ') + chalk.white(skillData.name))
-    console.log(chalk.dim('  Description: ') + chalk.white(skillData.description))
-    console.log()
-
     // Step 2: Create skill
-    const skill = await createSkill(skillData, apiKey)
+    spinner.text = 'Creating skill...'
+    const skill = await createSkill(skillData, apiKey, true)
 
     // Step 3: Upload additional files
-    await uploadSkillFiles(skill.id, resolvedSkillDir, apiKey)
+    spinner.text = 'Uploading files...'
+    const { uploadedCount, failedCount } = await uploadSkillFiles(skill.id, resolvedSkillDir, apiKey, true)
 
     // Success summary
-    console.log(boxen(
-      chalk.bold.green('✓ Upload complete!\n\n') +
-      chalk.dim('Skill URL: ') + chalk.cyan(`https://skills.cokac.com/s/${skill.id}`),
-      {
-        padding: { top: 0, bottom: 0, left: 1, right: 1 },
-        borderStyle: 'round',
-        borderColor: 'green'
-      }
-    ))
-    console.log()
+    const fileInfo = uploadedCount > 0 ? ` (${uploadedCount} file${uploadedCount !== 1 ? 's' : ''})` : ''
+    spinner.succeed(chalk.green(`Uploaded: ${skillData.name}${fileInfo}`))
+    console.log(chalk.cyan(`https://skills.cokac.com/p/${skill.id}`))
 
   } catch (error) {
-    console.error(chalk.red('\n✗ Upload failed:'), error.message)
+    if (spinner) spinner.stop()
+    // Handle 409 Conflict (skill name already exists)
+    if (error.response && error.response.status === 409) {
+      console.log(chalk.red('✗ Skill name already exists. Please choose a different name.'))
+    } else {
+      console.error(chalk.red('✗ Upload failed:'), error.message)
+    }
     process.exit(1)
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skillscokac",
-  "version": "1.1.0",
+  "version": "1.3.0",
   "description": "CLI tool to install and manage Claude Code skills from skills.cokac.com",
   "main": "bin/skillscokac.js",
   "bin": {