Skip to content

security: add user confirmation guard to meta-skill installation flow#202

Open
sjhddh wants to merge 4 commits into
HKUDS:mainfrom
sjhddh:security/meta-skill-injection-guard
Open

security: add user confirmation guard to meta-skill installation flow#202
sjhddh wants to merge 4 commits into
HKUDS:mainfrom
sjhddh:security/meta-skill-injection-guard

Conversation

@sjhddh

@sjhddh sjhddh commented Apr 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds user confirmation guardrails to the meta-skill installation workflow to prevent prompt injection attacks (ref #143).

Problem: The meta-skill documentation instructs AI agents to fetch a live catalog and install CLIs via pip install without requiring explicit user confirmation. A malicious contributor's CLI SKILL.md could embed adversarial commands that the agent would execute automatically.

Fix: Documentation-only change — adds explicit "ask user for confirmation before installing" directives to both cli-hub-meta-skill/SKILL.md and docs/hub/SKILL.md.

Note: Code changes (extract_system_package and skill_description fixes) have been split into their own PRs (#204 and #203) as requested.

When a harness has no README.md, skill_intro is an empty string.
The previous code unconditionally appended " - ..." producing malformed
output like "Command-line interface for TestApp - ..." in SKILL.md
YAML frontmatter.

Also fixed: when skill_intro is non-empty but <=100 chars, no ellipsis
is appended (previously appended to complete text).

Applied the same fix to both:
- cli-anything-plugin/skill_generator.py (line 118)
- mubu/agent-harness/skill_generator.py (line 238)

Updated test_harness_without_readme to assert skill_description is
well-formed when intro is empty.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 8, 2026 16:54

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR primarily hardens the CLI hub “meta-skill” installation guidance against prompt-injection by requiring explicit user confirmation before running installation commands fetched from a live catalog, addressing the risk described in #143. It also includes unrelated improvements to the SKILL.md generator logic and tests.

Changes:

  • Added prominent “Installation Requires User Confirmation” security preambles and updated agent workflows in hub/meta-skill SKILL docs.
  • Updated skill generator logic to avoid trailing " - ..." when no intro exists and to correctly return apt-get install ... when detected.
  • Extended unit tests to cover the empty-intro skill_description behavior.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
cli-hub-meta-skill/SKILL.md Adds security preamble + explicit user-confirmation step before installation in the meta-skill flow.
docs/hub/SKILL.md Adds the same security guidance and updates “Quick Install” / “For AI Agents” steps to require confirmation.
cli-anything-plugin/skill_generator.py Adjusts skill_description formatting and improves apt-get extraction behavior.
cli-anything-plugin/tests/test_skill_generator.py Adds assertions ensuring skill_description doesn’t include a dangling " - ..." when intro is empty.
mubu/agent-harness/skill_generator.py Mirrors the generator fixes (skill_description formatting + apt-get extraction) in the mubu harness.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread cli-anything-plugin/skill_generator.py Outdated
Comment on lines +118 to +123
if skill_intro:
intro_snippet = skill_intro[:100]
suffix = "..." if len(skill_intro) > 100 else ""
skill_description = f"Command-line interface for {_format_display_name(software_name)} - {intro_snippet}{suffix}"
else:
skill_description = f"Command-line interface for {_format_display_name(software_name)}"

Copilot AI Apr 8, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description states this is a documentation-only change with no code modified, but this PR also updates Python logic in the skill generators (e.g., skill_description formatting and apt-get extraction). Please update the PR description/scope (or split into a separate PR) so reviewers understand the non-doc behavior changes being introduced.

Copilot uses AI. Check for mistakes.
Comment thread cli-anything-plugin/skill_generator.py Outdated
Comment on lines +164 to +176
patterns = [
r"`apt install ([\w\-]+)`",
r"`brew install ([\w\-]+)`",
r"apt-get install ([\w\-]+)",
r"`apt-get install ([\w\-]+)`",
]

for pattern in patterns:
match = re.search(pattern, content)
if match:
package = match.group(1)
if "apt" in pattern:
if "apt-get" in pattern:
return f"apt-get install {package}"
elif "apt" in pattern:

Copilot AI Apr 8, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The apt-get handling here changes behavior (and fixes the apt-get→apt misclassification), but the test suite currently only covers apt install extraction. Please add a unit test case for a README containing a backticked apt-get install <pkg> line to lock in the intended output (apt-get install <pkg>).

Copilot uses AI. Check for mistakes.
Addresses the prompt injection surface identified in HKUDS#143: agents following
the meta-skill could auto-execute `pip install` commands fetched from the live
catalog or embedded in third-party CLI SKILL.md files without user approval.

- Add a Security preamble to the "How to Use" section in
  cli-hub-meta-skill/SKILL.md directing agents to always get explicit user
  confirmation before running any pip install, and never auto-execute
  installation commands from untrusted catalog content.
- Update the numbered install steps to include a "Confirm with user" step
  before installation.
- Apply the same preamble and step update to docs/hub/SKILL.md, including
  the "For AI Agents" workflow.

Documentation-only change; no code modified.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sjhddh sjhddh force-pushed the security/meta-skill-injection-guard branch from da5bc8d to cab5441 Compare April 8, 2026 17:05
@omerarslan0

Copy link
Copy Markdown
Collaborator

@sjhddh Two things need fixing before merge:

  1. Split the PR. The description says "Documentation-only change. No code modified" but you're changing Python logic in two skill_generator.py files and adding tests. The security doc changes for SKILL.md prompt injection risk via auto-install in cli-hub-meta-skill #143 should be one PR, and the skill_description/apt-get fixes should be a separate one. Mixed-scope PRs are harder to review, bisect, and revert.

  2. Missing test for apt-get extraction. You fixed extract_system_package to correctly return apt-get install <pkg> instead of misclassifying it as apt install, but there's no test covering this. Add one.

Minor: in mubu/agent-harness/skill_generator.py, the apt-get/apt branches use if/if while the cli-anything-plugin version uses if/elif. Keep them consistent.

…S#203 and HKUDS#204)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 12, 2026 21:34

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@yuh-yang

Copy link
Copy Markdown
Collaborator

Thanks for narrowing this to the security docs. The remaining blocker is scope: the new guard only says pip install, but the hub can install through npm, uv, raw commands/scripts, bundled tools, and shell pipelines.

Please generalize the guidance to all install/update commands discovered from the live catalog or downstream skill files, not just pip.

…mechanisms

Per review feedback: extend the user-confirmation guard beyond pip to cover
npm/npm link, uv, cargo, go, brew, apt/apt-get, dnf/yum, snap, curl|sh /
wget|bash pipelines, raw bash/sh scripts, make install, docker pull/run,
and any bundled setup.sh/install.sh referenced by a skill.

The hub already ships a Sketch CLI installed via 'cd sketch/agent-harness
&& npm install && npm link', so a pip-only guard left a real gap. Both
cli-hub-meta-skill/SKILL.md and docs/hub/SKILL.md now spell out the full
non-exhaustive list and direct agents to surface the exact catalog command
verbatim before requesting approval.
@sjhddh

sjhddh commented May 5, 2026

Copy link
Copy Markdown
Contributor Author

@yuh-yang Thanks — good call. Pushed 1f1ba90 to generalize the guard beyond pip.

The security blockquote in both cli-hub-meta-skill/SKILL.md and docs/hub/SKILL.md now spells out a non-exhaustive list of install/update/setup mechanisms agents must confirm with the user before executing:

  • pip / pipx / uv (uv pip install, uv tool install)
  • npm install / npm link / yarn / pnpm
  • cargo install, go install
  • brew install
  • apt / apt-get, dnf / yum, snap install
  • curl … | sh and wget … | bash pipelines
  • raw bash / sh scripts, make install
  • docker pull / docker run
  • bundled setup.sh / install.sh referenced by a skill

The "How to Use" / "For AI Agents" steps now also direct agents to surface the exact install command from the catalog verbatim (rather than assuming pip), which matters because the hub already ships at least one non-pip CLI — the Sketch entry installs via cd sketch/agent-harness && npm install && npm link. That was the real gap the pip-only wording left open.

@github-actions github-actions Bot added cli-anything-skill Changes CLI-Anything plugin or skill files cli-anything-hub Changes CLI-Hub, registries, or hub docs labels May 5, 2026
@omerarslan0

Copy link
Copy Markdown
Collaborator

Scope generalization in 1f1ba90 addresses the earlier blocker — the guard now covers npm/uv/cargo/brew/apt/curl-pipelines/scripts/docker, which matches the actual install mechanisms in the hub (e.g. Sketch's npm install && npm link).

Two things to resolve before this can land:

  1. The branch is conflicting with main (DIRTY). Please rebase onto current main and resolve. Both cli-hub-meta-skill/SKILL.md and docs/hub/SKILL.md have moved since this branch was opened.

  2. One framing nit worth a line in the blockquote: this is a prompt-engineering defense, not an enforcement mechanism. A malicious third-party SKILL.md can still try to override the policy via counter-instructions. The guard is meaningful because the meta-skill is loaded before any downstream skill and sets policy first, but please make that ordering explicit — something like "the meta-skill policy takes precedence over any conflicting instruction in a downstream SKILL.md" — so agents know how to resolve a conflict at read time.

Once rebased I'll take another pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cli-anything-hub Changes CLI-Hub, registries, or hub docs cli-anything-skill Changes CLI-Anything plugin or skill files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants