skillscokac 1.5.0 → 1.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +66 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -2,6 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
CLI tool to install and manage Claude Code skills from [skills.cokac.com](https://skills.cokac.com)
|
|
4
4
|
|
|
5
|
+
[](https://www.npmjs.com/package/skillscokac)
|
|
6
|
+
[](https://opensource.org/licenses/ISC)
|
|
7
|
+
|
|
5
8
|
## Installation
|
|
6
9
|
|
|
7
10
|
No installation required! Use `npx` to run the CLI directly:
|
|
@@ -363,6 +366,69 @@ npm publish
|
|
|
363
366
|
- **boxen** - Terminal UI boxes for skill listings
|
|
364
367
|
- **yaml** - YAML frontmatter parsing from SKILL.md
|
|
365
368
|
|
|
369
|
+
## Security
|
|
370
|
+
|
|
371
|
+
Version 1.5.0 introduces comprehensive security enhancements to protect against various attack vectors:
|
|
372
|
+
|
|
373
|
+
### Security Features
|
|
374
|
+
|
|
375
|
+
**YAML Parsing Protection**
|
|
376
|
+
- Automatic YAML frontmatter preprocessing with special character handling
|
|
377
|
+
- Protection against YAML bombs (Billion Laughs attack)
|
|
378
|
+
- Frontmatter size limits (10KB max)
|
|
379
|
+
- Alias expansion limits (max 10 aliases)
|
|
380
|
+
- Strict YAML parsing with unique key validation
|
|
381
|
+
|
|
382
|
+
**Zip Bomb Protection**
|
|
383
|
+
- Compression ratio validation (max 100:1 ratio)
|
|
384
|
+
- Individual file size limits (10MB max)
|
|
385
|
+
- Total package size limits (100MB max)
|
|
386
|
+
- Early detection of suspicious compression patterns
|
|
387
|
+
|
|
388
|
+
**Path Traversal Protection**
|
|
389
|
+
- ZIP entry name validation
|
|
390
|
+
- Absolute path rejection
|
|
391
|
+
- Path traversal attempt detection (`..` sequences)
|
|
392
|
+
- Null byte filename protection
|
|
393
|
+
|
|
394
|
+
**Input Validation**
|
|
395
|
+
- Collection ID validation (alphanumeric with hyphens/underscores only)
|
|
396
|
+
- Skill name validation from API responses
|
|
397
|
+
- Network request validation (content-type, redirect limits)
|
|
398
|
+
- ReDoS (Regular Expression Denial of Service) protection
|
|
399
|
+
|
|
400
|
+
**File Content Validation**
|
|
401
|
+
- SKILL.md size validation before and after reading
|
|
402
|
+
- UTF-8 encoding validation
|
|
403
|
+
- Maximum line length limits (2000 chars)
|
|
404
|
+
- Maximum line count limits (1000 lines)
|
|
405
|
+
|
|
406
|
+
### Reporting Security Issues
|
|
407
|
+
|
|
408
|
+
If you discover a security vulnerability, please email: monogatree@gmail.com
|
|
409
|
+
|
|
410
|
+
## Changelog
|
|
411
|
+
|
|
412
|
+
### v1.5.0 (2026-01-05)
|
|
413
|
+
|
|
414
|
+
**Security Enhancements:**
|
|
415
|
+
- Added comprehensive YAML bomb protection with alias limits
|
|
416
|
+
- Implemented ZIP bomb detection with compression ratio checks
|
|
417
|
+
- Enhanced path traversal protection for ZIP entries
|
|
418
|
+
- Added ReDoS (Regular Expression Denial of Service) protection
|
|
419
|
+
- Implemented strict input validation for collection IDs and skill names
|
|
420
|
+
- Added file content size validation
|
|
421
|
+
- Enhanced network request validation with content-type checks
|
|
422
|
+
|
|
423
|
+
**Improvements:**
|
|
424
|
+
- Automatic YAML frontmatter preprocessing for special characters
|
|
425
|
+
- Better error messages for invalid inputs
|
|
426
|
+
- Improved handling of malformed SKILL.md files
|
|
427
|
+
|
|
428
|
+
### v1.4.3 and earlier
|
|
429
|
+
|
|
430
|
+
Previous versions available on [npm](https://www.npmjs.com/package/skillscokac).
|
|
431
|
+
|
|
366
432
|
## License
|
|
367
433
|
|
|
368
434
|
ISC
|