Skip to content

fix(skills): update getsentry/skills to 5a64b36, fix 3 of 5 scan failures#739

Open
JAORMX wants to merge 5 commits into
mainfrom
fix/getsentry-skills-digest
Open

fix(skills): update getsentry/skills to 5a64b36, fix 3 of 5 scan failures#739
JAORMX wants to merge 5 commits into
mainfrom
fix/getsentry-skills-digest

Conversation

@JAORMX

@JAORMX JAORMX commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Supersedes chore(deps): update getsentry/skills digest to 5a64b36 #685. Carries the same digest/version bump renovate proposed for all 18 getsentry skills, plus fixes for 3 of 5 skills that failed skill-security-scan.
  • The mass build-skill-artifacts failure across ~17 skills in chore(deps): update getsentry/skills digest to 5a64b36 #685 was a transient Docker Hub 500 pulling mikefarah/yq:4-githubaction during job setup — unrelated to this bump, already cleared on re-run.
  • Fixed:
    • doc-coauthoring: ATR_2026_00051 matched "For each" in a workflow-step description (plain prose).
    • find-bugs: ATR_2026_00111 is the scanner's new numbered rule id for a finding already allowlisted under the old named id ATR_MCP_MALICIOUS_RESPONSE (read-only git/gh command substitution). The scanner appears to have switched from named to numbered ATR_2026_* ids, making some existing allowlist entries stale.
    • skill-scanner: ATR_2026_00276 matched an actual zero-width-space character used as a worked example in this meta-skill's own prompt-injection-pattern reference docs — same "documents attack patterns for detection" class as its existing allowlist entries.
  • Not fixed here — flagged for review: gha-security-review (36 blocking findings across 8 distinct rule ids) and skill-writer (176 blocking findings across 10 distinct rule ids). Spot-checked samples from both look like the same benign-domain-vocabulary FP class (GHA ${{ }} expressions, "deploy"/"upload", code fences, doc prose) as everything else in this batch, and their existing allowlists use the same stale named-rule-id pattern found in find-bugs — but the volume is high enough for security-review-domain content that I didn't want to bulk-allowlist without a second pair of eyes.

Test plan

Co-Authored-By: Claude Sonnet 5 noreply@anthropic.com

renovate Bot and others added 3 commits July 3, 2026 13:41
…code-review,code-simplifier,commit,create-branch,django-access-review,django-perf-review,doc-coauthoring,find-bugs,gh-review-requests,gha-security-review,iterate-pr,pr-writer,prompt-optimizer,security-review,skill-scanner,skill-writer
- doc-coauthoring: ATR_2026_00051 matched "For each" in a workflow step
  description, plain prose.
- find-bugs: ATR_2026_00111 is the scanner's new numbered id for the
  same finding already allowlisted under the old named id
  ATR_MCP_MALICIOUS_RESPONSE (a read-only gh/git command substitution).
- skill-scanner: ATR_2026_00276 matched an actual zero-width-space
  character used as a worked example in the skill's own
  prompt-injection-pattern reference docs -- same "meta-skill documents
  attack patterns for detection" class as its existing allowlist
  entries.

Note: gha-security-review (36 blocking findings, 8 distinct rule ids)
and skill-writer (176 blocking findings, 10 distinct rule ids) in this
same digest bump are NOT fixed here -- high volume in security-review
domain content, flagged for human review rather than bulk-allowlisted.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@toolhive-release-app

toolhive-release-app Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🛡️ Skill Security Scan Results

✅ agents-md

  • Status: Passed
  • Findings: 1
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ claude-settings-audit

  • Status: Passed
  • Findings: 5
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ code-review

  • Status: Passed
  • Findings: 3
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ code-simplifier

  • Status: Passed
  • Findings: 1
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ commit

  • Status: Passed
  • Findings: 4
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ create-branch

  • Status: Passed
  • Findings: 4

✅ django-access-review

  • Status: Passed
  • Findings: 2

✅ django-perf-review

  • Status: Passed
  • Findings: 0

✅ doc-coauthoring

  • Status: Passed
  • Findings: 4
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ find-bugs

  • Status: Passed
  • Findings: 5
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ gh-review-requests

  • Status: Passed
  • Findings: 5
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

❌ gha-security-review

  • Status: Failed
  • Findings: 84
  • Blocking: 53

Blocking issues:

  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/real-world-attacks.md:240)
  • [ATR_2026_00063] (CRITICAL) Pattern detected: Base64 (references/real-world-attacks.md:253)
  • [ATR_2026_00063] (CRITICAL) Pattern detected: base64 (references/real-world-attacks.md:260)
  • [ATR_2026_00111] (CRITICAL) Pattern detected: curl | bash (references/real-world-attacks.md:264)
  • [ATR_2026_00111] (CRITICAL) Pattern detected: curl -sSfL [url] | bash (references/real-world-attacks.md:271)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: ${{ }} (references/real-world-attacks.md:275)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (references/runner-infrastructure.md:30)
  • [ATR_2026_00096] (CRITICAL) Pattern detected: beacon (references/runner-infrastructure.md:34)
  • [ATR_2026_00012] (HIGH) Pattern detected: /.ssh/authorized_keys (references/runner-infrastructure.md:38)
  • [ATR_2026_00090] (HIGH) Pattern detected: Steal cached credential (references/runner-infrastructure.md:40)
  • [ATR_2026_00113] (CRITICAL) Pattern detected: ~/.docker/config.json (references/runner-infrastructure.md:41)
  • [ATR_2026_00113] (CRITICAL) Pattern detected: ~/.npmrc (references/runner-infrastructure.md:42)
  • [ATR_2026_00113] (CRITICAL) Pattern detected: ~/.aws/credentials (references/runner-infrastructure.md:43)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (references/runner-infrastructure.md:48)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: bash (references/runner-infrastructure.md:50)
  • [ATR_2026_00161] (CRITICAL) Pattern detected: .env (references/runner-infrastructure.md:51)
  • [ATR_2026_00201] (CRITICAL) Pattern detected: curl -d @/home/runner/work/*/secret (references/runner-infrastructure.md:52)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (references/runner-infrastructure.md:62)
  • [ATR_2026_00013] (CRITICAL) Pattern detected: 0.0.0.0 (references/runner-infrastructure.md:65)
  • [ATR_2026_00263] (CRITICAL) Pattern detected: curl http://169.254.169.254/latest/meta-data (references/runner-infrastructure.md:69)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: actions/cache stores and restores files between workflow runs using a key. The cache is scoped to a branch, but **feature branches can read caches from the default branc (references/runner-infrastructure.md:78)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: ${{ hashFiles('package-lock.json') }} (references/runner-infrastructure.md:84)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: ${{ hashFiles('package-lock.json') }} (references/runner-infrastructure.md:98)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: ${{ hashFiles('package-lock.json') }} (references/runner-infrastructure.md:112)
  • [ATR_2026_00012] (HIGH) Pattern detected: | Branc (references/runner-infrastructure.md:119)
  • [ATR_2026_00012] (HIGH) Pattern detected: | Default branc (references/runner-infrastructure.md:121)
  • [ATR_2026_00012] (HIGH) Pattern detected: | Feature branc (references/runner-infrastructure.md:122)
  • [ATR_2026_00012] (HIGH) Pattern detected: | PR from fork | Fork branch + main | Fork branc (references/runner-infrastructure.md:123)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: main and write to their own branc (references/runner-infrastructure.md:125)
  • [ATR_2026_00063] (CRITICAL) Pattern detected: upload (references/runner-infrastructure.md:133)
  • [ATR_2026_00063] (CRITICAL) Pattern detected: upload (references/runner-infrastructure.md:141)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: Deploy (references/runner-infrastructure.md:146)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: ${{ github.event.workflow_run.id }} (references/runner-infrastructure.md:155)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (references/runner-infrastructure.md:156)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (references/runner-infrastructure.md:169)
  • [ATR_2026_00063] (CRITICAL) Pattern detected: upload (references/runner-infrastructure.md:176)
  • [ATR_2026_00063] (CRITICAL) Pattern detected: upload (references/runner-infrastructure.md:177)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: ${{ github.ref }}-${{ hashFiles('package-lock.json') }} (references/runner-infrastructure.md:222)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (references/runner-infrastructure.md:238)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (references/runner-infrastructure.md:239)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (references/runner-infrastructure.md:246)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: pull_request_target + fork checkout | Critical | Fork code + secrets + persistenc (references/runner-infrastructure.md:256)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (references/runner-infrastructure.md:258)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: push to protected branc (references/runner-infrastructure.md:259)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: uses:. If these actions are not pinned to immutable referenc (references/supply-chain.md:5)
  • [ATR_2026_00111] (CRITICAL) Pattern detected: | bash (references/supply-chain.md:59)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/supply-chain.md:61)
  • [ATR_2026_00111] (CRITICAL) Pattern detected: | bash (references/supply-chain.md:68)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: shell (references/supply-chain.md:69)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (references/supply-chain.md:78)
  • [ATR_2026_00012] (HIGH) Pattern detected: | Action that curl (references/supply-chain.md:147)
  • [ATR_2026_00111] (CRITICAL) Pattern detected: |bash (references/supply-chain.md:155)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: EXEC (references/supply-chain.md:159)

✅ iterate-pr

  • Status: Passed
  • Findings: 6
  • Allowed (not blocking): 1
    • RESOURCE_ABUSE_INFINITE_LOOP (Allowed: The scripts/monitor_pr_checks.py helper polls PR check status in a while True: loop with bounded retries and sleep — legitimate for waiting until CI reaches a terminal state. The script has a timeout and exit conditions.)

✅ pr-writer

  • Status: Passed
  • Findings: 2
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ prompt-optimizer

  • Status: Passed
  • Findings: 3
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ security-review

  • Status: Passed
  • Findings: 3

❌ skill-scanner

  • Status: Failed
  • Findings: 5
  • Blocking: 1

Blocking issues:

  • [ATR_2026_00080] (HIGH) Pattern detected: decode("aW1wb3J0IG9zOyBvcy5zeXN0ZW0oJ2N1cmwgZXZpbC5jb20nKQ== (references/dangerous-code-patterns.md:144)

Allowlisted (not blocking):

  • OBFUSCATION_BASE64_LARGE (Allowed: This is a meta-skill that teaches detection of malicious patterns. Its reference material cites exec(base64.b64decode(...)) as an example of obfuscated code the scanner should flag in other skills — the skill documents the pattern it hunts, it does not execute it.)
  • ATR_2026_00276 (Allowed: FP: this meta-skill's reference doc on prompt-injection patterns (references/prompt-injection-patterns.md) includes an actual zero-width-space character as a worked example of the 'Zero-Width Characters' evasion technique it documents. Teaching the detection pattern requires an example of the pattern; not an injection attempt against this skill itself.)
  • YARA_prompt_injection_unicode_steganography (Allowed: The skill documents invisible Unicode steganography (\U000e0001 tag characters) as a prompt-injection vector. Describing the attack class is required for the skill to teach detection of it.)

❌ skill-writer

  • Status: Failed
  • Findings: 141
  • Blocking: 63

Blocking issues:

  • [ATR_2026_00010] (CRITICAL) Pattern detected: SPEC.md exists or was updated when the change creates a skill or materially changes intent, scope, evidence model, validation, or maintenanc (references/registration-validation.md:42)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: SKILL.md and `referenc (references/registration-validation.md:48)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: `referenc (references/registration-validation.md:51)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: ${CLAUDE_SKILL_ROOT} (references/registration-validation.md:52)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: EVAL.md for skill-writer itself. Runtime skills should not route to their own eval files unless the user explicitly asks to run or maintain eval (references/skill-evals.md:5)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: EVAL.md | maintainer playbook for running the skill's eval (references/skill-evals.md:11)
  • [ATR_2026_00111] (CRITICAL) Pattern detected: evals/axis.config.json (references/skill-evals.md:12)
  • [ATR_2026_00111] (CRITICAL) Pattern detected: evals/scenarios/*.{json,ts} (references/skill-evals.md:13)
  • [ATR_2026_00111] (CRITICAL) Pattern detected: evals/fixtures/ (references/skill-evals.md:14)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: SKILL.md routing. Add SKILL.md routing only for skills whose purpose is running eval (references/skill-evals.md:16)
  • [ATR_2026_00012] (HIGH) Pattern detected: | skill eval (references/skill-evals.md:22)
  • [ATR_2026_00012] (HIGH) Pattern detected: | repeatable skill eval (references/skill-evals.md:23)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/skill-evals.md:24)
  • [ATR_2026_00012] (HIGH) Pattern detected: | out of scope for skill eval (references/skill-evals.md:28)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/skill-evals.md:30)
  • [ATR_2026_00111] (CRITICAL) Pattern detected: evals/fixtures/ (references/skill-evals.md:52)
  • [ATR_2026_00088] (HIGH) Pattern detected: output with normal (references/skill-evals.md:60)
  • [ATR_2026_00012] (HIGH) Pattern detected: | deterministic assertion | files exist, referenc (references/skill-evals.md:72)
  • [ATR_2026_00012] (HIGH) Pattern detected: | script check | JSON sh (references/skill-evals.md:73)
  • [ATR_2026_00012] (HIGH) Pattern detected: | LLM judge | conc (references/skill-evals.md:74)
  • [ATR_2026_00012] (HIGH) Pattern detected: | human review | taste, audienc (references/skill-evals.md:75)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (references/skill-evals.md:83)
  • [ATR_2026_00012] (HIGH) Pattern detected: | runtime conc (references/skill-evals.md:111)
  • [ATR_2026_00012] (HIGH) Pattern detected: | important decisions have enough evidenc (references/skill-evals.md:112)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/skill-evals.md:125)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/source-adaptation.md:7)
  • [ATR_2026_00012] (HIGH) Pattern detected: | local target | what the generated skill sh (references/source-adaptation.md:16)
  • [ATR_2026_00012] (HIGH) Pattern detected: | local replacement | what sh (references/source-adaptation.md:18)
  • [ATR_2026_00012] (HIGH) Pattern detected: | provenanc (references/source-adaptation.md:20)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: SOURCES.md, SPEC.md, or a focused referenc (references/source-adaptation.md:39)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (references/source-discovery.md:33)
  • [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (references/source-discovery.md:40)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: SKILL.md. Summarize the behavior and keep provenance in SOURCES.md or an evidenc (references/source-discovery.md:49)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/spec-template.md:32)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: SPEC.md | maintenanc (references/spec-template.md:33)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: `referenc (references/spec-template.md:35)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: `references/evidenc (references/spec-template.md:36)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: `referenc (references/spec-template.md:88)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: `references/evidenc (references/spec-template.md:89)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: `references/evidenc (references/spec-template.md:108)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: SPEC.md conc (references/spec-template.md:113)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: `references/evidenc (references/spec-template.md:115)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: SKILL.md exceeds 500 lines and becomes a second enc (references/structure-troubleshooting.md:7)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: `referenc (references/structure-troubleshooting.md:9)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: SKILL.md, SPEC.md, SOURCES.md, `referenc (references/structure-troubleshooting.md:51)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: context: fork is used for conventions or reference material instead of a conc (references/structure-troubleshooting.md:97)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/structure-troubleshooting.md:99)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: shell (references/structure-troubleshooting.md:103)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/synthesis-path.md:16)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: SPEC.md, SOURCES.md, and `references/evidenc (references/synthesis-path.md:39)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: references/source-adaptation.md when the primary input is an upstream prompt, workflow, rubric, benc (references/synthesis-path.md:45)
  • [ATR_2026_00012] (HIGH) Pattern detected: | negative behavior | false positives, reviewer conc (references/synthesis-path.md:76)
  • [ATR_2026_00012] (HIGH) Pattern detected: | version variance | platform or release differenc (references/synthesis-path.md:78)
  • [ATR_2026_00111] (CRITICAL) Pattern detected: | sh (references/synthesis-path.md:79)
  • [ATR_2026_00051] (HIGH) Pattern detected: For each (references/synthesis-path.md:90)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/workflow-parallel.md:8)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (references/workflow-plan-validate-execute.md:1)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: exec (references/workflow-plan-validate-execute.md:16)
  • [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (references/workflow-plan-validate-execute.md:24)
  • [ATR_2026_00051] (HIGH) Pattern detected: for each (references/workflow-prompt-chaining.md:14)
  • [ATR_2026_00051] (HIGH) Pattern detected: for each (references/workflow-routing.md:16)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: `referenc (references/workflow-routing.md:23)
  • [ATR_2026_00010] (CRITICAL) Pattern detected: `referenc (references/workflow-routing.md:25)

Summary: Scanned 18 skill(s), found 117 blocking issue(s).

⚠️ Action Required: Review the blocking findings. Add a justified entry to the skill's security.allowed_issues[] in its spec.yaml if the finding is a false positive.

…l-scanner

The scanner's non-determinism kept surfacing a different subset of this
153-line reference doc's documented attack-example strings on each
re-scan (Ignore previous instructions, SYSTEM: ignore, jailbreak
examples, exfil, etc.). Upstream's own file includes a "False Positive
Guide" explicitly stating patterns in references/ files are
documentation, not attacks. Allowlisting the full observed rule_id set
at once rather than whack-a-moling one at a time.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants