Requirement
skills.js does not verify signature or hash of codexmate.json when importing ZIP, allowing man-in-the-middle injection of malicious skills. Aider/Cline both have hash verification for skill packages.
Verification
Craft malicious ZIP (containing codexmate.json) → import via skills marketplace → observe whether security warning appears → verify if hash verification takes effect
Requirement
skills.jsdoes not verify signature or hash ofcodexmate.jsonwhen importing ZIP, allowing man-in-the-middle injection of malicious skills. Aider/Cline both have hash verification for skill packages.Verification
Craft malicious ZIP (containing codexmate.json) → import via skills marketplace → observe whether security warning appears → verify if hash verification takes effect