mirror of https://github.com/garrytan/gstack.git
c372fd1835
discoverTemplates() scans subdirectories for SKILL.md.tmpl files but
only skips node_modules, .git, and dist. Hidden directories like
.claude/, .agents/, and .codex/ (which contain symlinked skill
installs) were being scanned, allowing a malicious .tmpl in a
symlinked skill to inject into the generation pipeline.
Fix: add !d.name.startsWith('.') to the subdirs() filter. This skips
all dot-prefixed directories, matching the standard convention that
hidden dirs are not source code.
|
||
|---|---|---|
| .. | ||
| resolvers | ||
| analytics.ts | ||
| dev-skill.ts | ||
| discover-skills.ts | ||
| eval-compare.ts | ||
| eval-list.ts | ||
| eval-select.ts | ||
| eval-summary.ts | ||
| eval-watch.ts | ||
| gen-skill-docs.ts | ||
| skill-check.ts | ||