Skip to content

Add a complementary advisory SKILL.md content scan (prompt-injection) alongside SkillSpector #80

Description

@eeee2345

Following on from #51 (passing major marketplace scans) and #50/#52 (reducing reliance on the SkillSpector allowlist), I'd like to propose adding a second, complementary advisory scan over candidate skills.

The current skillspector workflow does static code-pattern scanning of changed skills. A different and currently-uncovered surface is the SKILL.md content itself — prompt-injection and instruction-override patterns in the skill's natural-language body, which a code-pattern scanner isn't looking for. The two are additive rather than overlapping.

The proposal: add an advisory ATR scan, mirroring the existing skillspector job's shape so it stays low-noise:

  • runs only over skills changed in the diff (same changed_skills.py selection),
  • advisory only — surfaces ::warning::, never fails CI,
  • runs via uvx/npx with no API key (ATR's default matching is static regex/heuristic, so there's nothing to call out).

ATR scans a SKILL.md directly (atr scan <path> auto-detects markdown). On the allowlist concern in #50, the intent is to keep matches high-signal so it doesn't add allowlist burden; if it can't clear that bar over the existing catalog I'd rather not add it.

If this is a direction you'd take, I'm happy to open a PR wiring it as an additional advisory job alongside skillspector. I'd frame this as CI/tooling, not a catalog skill — ATR isn't AMD-hardware-specific, so it doesn't belong in the catalog itself.

Disclosure: I maintain ATR. (For context, an ATR docs integration landed in amd/gaia #1809.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions