From b58390df145d8ec073141d08627ce6dc7ad854fd Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 3 Jul 2026 10:18:28 +0000 Subject: [PATCH 1/3] chore(deps): update trailofbits/skills digest to cfe5d7b --- skills/agentic-actions-auditor/spec.yaml | 2 +- skills/codeql/spec.yaml | 2 +- skills/constant-time-analysis/spec.yaml | 2 +- skills/differential-review/spec.yaml | 2 +- skills/fp-check/spec.yaml | 2 +- skills/insecure-defaults/spec.yaml | 2 +- skills/property-based-testing/spec.yaml | 2 +- skills/sarif-parsing/spec.yaml | 2 +- skills/semgrep-rule-creator/spec.yaml | 2 +- skills/semgrep-rule-variant-creator/spec.yaml | 2 +- skills/semgrep/spec.yaml | 2 +- skills/sharp-edges/spec.yaml | 2 +- skills/supply-chain-risk-auditor/spec.yaml | 2 +- skills/variant-analysis/spec.yaml | 2 +- skills/yara-rule-authoring/spec.yaml | 2 +- skills/zeroize-audit/spec.yaml | 2 +- 16 files changed, 16 insertions(+), 16 deletions(-) diff --git a/skills/agentic-actions-auditor/spec.yaml b/skills/agentic-actions-auditor/spec.yaml index b0cc0700..c263a24a 100644 --- a/skills/agentic-actions-auditor/spec.yaml +++ b/skills/agentic-actions-auditor/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/agentic-actions-auditor/skills/agentic-actions-auditor" version: "0.1.0" diff --git a/skills/codeql/spec.yaml b/skills/codeql/spec.yaml index f35e7538..d0bca7c8 100644 --- a/skills/codeql/spec.yaml +++ b/skills/codeql/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/static-analysis/skills/codeql" version: "0.1.0" diff --git a/skills/constant-time-analysis/spec.yaml b/skills/constant-time-analysis/spec.yaml index d066d4ff..d35bdd03 100644 --- a/skills/constant-time-analysis/spec.yaml +++ b/skills/constant-time-analysis/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/constant-time-analysis/skills/constant-time-analysis" version: "0.1.0" diff --git a/skills/differential-review/spec.yaml b/skills/differential-review/spec.yaml index 9b71211a..030b2500 100644 --- a/skills/differential-review/spec.yaml +++ b/skills/differential-review/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/differential-review/skills/differential-review" version: "0.1.0" diff --git a/skills/fp-check/spec.yaml b/skills/fp-check/spec.yaml index 645c71c9..d102d6a7 100644 --- a/skills/fp-check/spec.yaml +++ b/skills/fp-check/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/fp-check/skills/fp-check" version: "0.1.0" diff --git a/skills/insecure-defaults/spec.yaml b/skills/insecure-defaults/spec.yaml index d259c44c..55226877 100644 --- a/skills/insecure-defaults/spec.yaml +++ b/skills/insecure-defaults/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/insecure-defaults/skills/insecure-defaults" version: "0.1.0" diff --git a/skills/property-based-testing/spec.yaml b/skills/property-based-testing/spec.yaml index 97f455a8..63b0e88b 100644 --- a/skills/property-based-testing/spec.yaml +++ b/skills/property-based-testing/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/property-based-testing/skills/property-based-testing" version: "0.1.0" diff --git a/skills/sarif-parsing/spec.yaml b/skills/sarif-parsing/spec.yaml index 26972f42..01fe43d0 100644 --- a/skills/sarif-parsing/spec.yaml +++ b/skills/sarif-parsing/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/static-analysis/skills/sarif-parsing" version: "0.1.0" diff --git a/skills/semgrep-rule-creator/spec.yaml b/skills/semgrep-rule-creator/spec.yaml index aaee2401..5602bbb4 100644 --- a/skills/semgrep-rule-creator/spec.yaml +++ b/skills/semgrep-rule-creator/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/semgrep-rule-creator/skills/semgrep-rule-creator" version: "0.1.0" diff --git a/skills/semgrep-rule-variant-creator/spec.yaml b/skills/semgrep-rule-variant-creator/spec.yaml index 32f0f88c..a2b33147 100644 --- a/skills/semgrep-rule-variant-creator/spec.yaml +++ b/skills/semgrep-rule-variant-creator/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator" version: "0.1.0" diff --git a/skills/semgrep/spec.yaml b/skills/semgrep/spec.yaml index 11d919f4..d1f789e6 100644 --- a/skills/semgrep/spec.yaml +++ b/skills/semgrep/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/static-analysis/skills/semgrep" version: "0.1.0" diff --git a/skills/sharp-edges/spec.yaml b/skills/sharp-edges/spec.yaml index d22adbb0..2538ee18 100644 --- a/skills/sharp-edges/spec.yaml +++ b/skills/sharp-edges/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/sharp-edges/skills/sharp-edges" version: "0.1.0" diff --git a/skills/supply-chain-risk-auditor/spec.yaml b/skills/supply-chain-risk-auditor/spec.yaml index a14031e3..7019f59f 100644 --- a/skills/supply-chain-risk-auditor/spec.yaml +++ b/skills/supply-chain-risk-auditor/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/supply-chain-risk-auditor/skills/supply-chain-risk-auditor" version: "0.1.0" diff --git a/skills/variant-analysis/spec.yaml b/skills/variant-analysis/spec.yaml index 49e5b0e7..ab0537b4 100644 --- a/skills/variant-analysis/spec.yaml +++ b/skills/variant-analysis/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/variant-analysis/skills/variant-analysis" version: "0.1.0" diff --git a/skills/yara-rule-authoring/spec.yaml b/skills/yara-rule-authoring/spec.yaml index 49fd18d3..ce41b58c 100644 --- a/skills/yara-rule-authoring/spec.yaml +++ b/skills/yara-rule-authoring/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/yara-authoring/skills/yara-rule-authoring" version: "0.1.0" diff --git a/skills/zeroize-audit/spec.yaml b/skills/zeroize-audit/spec.yaml index ad3b9a40..53fb917f 100644 --- a/skills/zeroize-audit/spec.yaml +++ b/skills/zeroize-audit/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/trailofbits/skills" - ref: "a56045e9ae00b3506cacefea0f672aab0a1a6e3c" # main as of 2026-04-17 + ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/zeroize-audit/skills/zeroize-audit" version: "0.1.0" From 2d6a91bb01f78c099daef5f8e03bf524d8124932 Mon Sep 17 00:00:00 2001 From: "toolhive-release-app[bot]" <280093410+toolhive-release-app[bot]@users.noreply.github.com> Date: Fri, 3 Jul 2026 10:19:09 +0000 Subject: [PATCH 2/3] chore(skills): bump spec.version for agentic-actions-auditor,codeql,constant-time-analysis,differential-review,fp-check,insecure-defaults,property-based-testing,sarif-parsing,semgrep,semgrep-rule-creator,semgrep-rule-variant-creator,sharp-edges,supply-chain-risk-auditor,variant-analysis,yara-rule-authoring,zeroize-audit --- skills/agentic-actions-auditor/spec.yaml | 2 +- skills/codeql/spec.yaml | 2 +- skills/constant-time-analysis/spec.yaml | 2 +- skills/differential-review/spec.yaml | 2 +- skills/fp-check/spec.yaml | 2 +- skills/insecure-defaults/spec.yaml | 2 +- skills/property-based-testing/spec.yaml | 2 +- skills/sarif-parsing/spec.yaml | 2 +- skills/semgrep-rule-creator/spec.yaml | 2 +- skills/semgrep-rule-variant-creator/spec.yaml | 2 +- skills/semgrep/spec.yaml | 2 +- skills/sharp-edges/spec.yaml | 2 +- skills/supply-chain-risk-auditor/spec.yaml | 2 +- skills/variant-analysis/spec.yaml | 2 +- skills/yara-rule-authoring/spec.yaml | 2 +- skills/zeroize-audit/spec.yaml | 2 +- 16 files changed, 16 insertions(+), 16 deletions(-) diff --git a/skills/agentic-actions-auditor/spec.yaml b/skills/agentic-actions-auditor/spec.yaml index c263a24a..c6c36c6c 100644 --- a/skills/agentic-actions-auditor/spec.yaml +++ b/skills/agentic-actions-auditor/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/agentic-actions-auditor/skills/agentic-actions-auditor" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/codeql/spec.yaml b/skills/codeql/spec.yaml index d0bca7c8..3f8bd25f 100644 --- a/skills/codeql/spec.yaml +++ b/skills/codeql/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/static-analysis/skills/codeql" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/constant-time-analysis/spec.yaml b/skills/constant-time-analysis/spec.yaml index d35bdd03..3306d3a1 100644 --- a/skills/constant-time-analysis/spec.yaml +++ b/skills/constant-time-analysis/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/constant-time-analysis/skills/constant-time-analysis" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/differential-review/spec.yaml b/skills/differential-review/spec.yaml index 030b2500..65ab3e6e 100644 --- a/skills/differential-review/spec.yaml +++ b/skills/differential-review/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/differential-review/skills/differential-review" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/fp-check/spec.yaml b/skills/fp-check/spec.yaml index d102d6a7..b7d56fc3 100644 --- a/skills/fp-check/spec.yaml +++ b/skills/fp-check/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/fp-check/skills/fp-check" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/insecure-defaults/spec.yaml b/skills/insecure-defaults/spec.yaml index 55226877..bbaafa8c 100644 --- a/skills/insecure-defaults/spec.yaml +++ b/skills/insecure-defaults/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/insecure-defaults/skills/insecure-defaults" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/property-based-testing/spec.yaml b/skills/property-based-testing/spec.yaml index 63b0e88b..c67dbf52 100644 --- a/skills/property-based-testing/spec.yaml +++ b/skills/property-based-testing/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/property-based-testing/skills/property-based-testing" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/sarif-parsing/spec.yaml b/skills/sarif-parsing/spec.yaml index 01fe43d0..654dcbba 100644 --- a/skills/sarif-parsing/spec.yaml +++ b/skills/sarif-parsing/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/static-analysis/skills/sarif-parsing" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/semgrep-rule-creator/spec.yaml b/skills/semgrep-rule-creator/spec.yaml index 5602bbb4..0b808c7f 100644 --- a/skills/semgrep-rule-creator/spec.yaml +++ b/skills/semgrep-rule-creator/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/semgrep-rule-creator/skills/semgrep-rule-creator" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/semgrep-rule-variant-creator/spec.yaml b/skills/semgrep-rule-variant-creator/spec.yaml index a2b33147..323e7210 100644 --- a/skills/semgrep-rule-variant-creator/spec.yaml +++ b/skills/semgrep-rule-variant-creator/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/semgrep/spec.yaml b/skills/semgrep/spec.yaml index d1f789e6..5d35c57d 100644 --- a/skills/semgrep/spec.yaml +++ b/skills/semgrep/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/static-analysis/skills/semgrep" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/sharp-edges/spec.yaml b/skills/sharp-edges/spec.yaml index 2538ee18..59ed031a 100644 --- a/skills/sharp-edges/spec.yaml +++ b/skills/sharp-edges/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/sharp-edges/skills/sharp-edges" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/supply-chain-risk-auditor/spec.yaml b/skills/supply-chain-risk-auditor/spec.yaml index 7019f59f..cc70c668 100644 --- a/skills/supply-chain-risk-auditor/spec.yaml +++ b/skills/supply-chain-risk-auditor/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/supply-chain-risk-auditor/skills/supply-chain-risk-auditor" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/variant-analysis/spec.yaml b/skills/variant-analysis/spec.yaml index ab0537b4..286742d8 100644 --- a/skills/variant-analysis/spec.yaml +++ b/skills/variant-analysis/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/variant-analysis/skills/variant-analysis" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/yara-rule-authoring/spec.yaml b/skills/yara-rule-authoring/spec.yaml index ce41b58c..2a38e354 100644 --- a/skills/yara-rule-authoring/spec.yaml +++ b/skills/yara-rule-authoring/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/yara-authoring/skills/yara-rule-authoring" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" diff --git a/skills/zeroize-audit/spec.yaml b/skills/zeroize-audit/spec.yaml index 53fb917f..2eec86c2 100644 --- a/skills/zeroize-audit/spec.yaml +++ b/skills/zeroize-audit/spec.yaml @@ -11,7 +11,7 @@ spec: repository: "https://github.com/trailofbits/skills" ref: "cfe5d7b1619e47fb5b38b7e2561dad7e5f1e89af" # main as of 2026-04-17 path: "plugins/zeroize-audit/skills/zeroize-audit" - version: "0.1.0" + version: "0.2.0" provenance: repository_uri: "https://github.com/trailofbits/skills" From 3626f099c53b82bdd32584991b596e216eccf29c Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Fri, 3 Jul 2026 13:45:35 +0300 Subject: [PATCH 3/3] fix(skills): allowlist BEHAVIOR_EVAL_SUBPROCESS FP in zeroize-audit Scanner flagged two list-form subprocess.run() calls (generate_poc.py, check_rust_asm.py) as dangerous. Neither uses shell=True or takes attacker-controlled arguments -- fixed commands/scripts, one with an explicit timeout. Note: the other 5 skills bumped in this digest (agentic-actions-auditor, codeql, constant-time-analysis, sharp-edges, yara-rule-authoring) still fail skill-security-scan due to the known scanner meta-analyzer JSON-parse bug (dozens to hundreds of raw findings surviving as blocking) -- not fixed here, not practically allowlistable by hand. Co-Authored-By: Claude Sonnet 5 --- skills/zeroize-audit/spec.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/skills/zeroize-audit/spec.yaml b/skills/zeroize-audit/spec.yaml index 2eec86c2..9a3e4433 100644 --- a/skills/zeroize-audit/spec.yaml +++ b/skills/zeroize-audit/spec.yaml @@ -27,3 +27,10 @@ security: reason: "Matches the phrase 'secret argument' in tools/scripts/check_llvm_patterns.py where it labels compiler-detected patterns; the skill audits zeroization of secrets so references to the word 'secret' are expected." - rule_id: DATA_EXFIL_SENSITIVE_FILES reason: "tools/scripts/check_rust_asm.py reads a JSON config of Rust symbol names to audit; 'secrets_path' is the skill's internal config file path, not exfiltration of user secrets." + # FP: BEHAVIOR_EVAL_SUBPROCESS flags two list-form subprocess.run() calls, + # neither uses shell=True and neither takes attacker-controlled input: + # generate_poc.py invokes a local sibling script via sys.executable with + # fixed flag names; check_rust_asm.py invokes the fixed command "rustfilt" + # with an explicit timeout, piping asm text via stdin (not argv/shell). + - rule_id: BEHAVIOR_EVAL_SUBPROCESS + reason: "FP: matched list-form subprocess.run() calls in tools/generate_poc.py (invokes sys.executable + a local script with fixed flag names) and tools/scripts/check_rust_asm.py (invokes the fixed command 'rustfilt' with a timeout, input piped via stdin). Neither uses shell=True or attacker-controlled arguments."