Following on from #51 (passing major marketplace scans) and #50/#52 (reducing reliance on the SkillSpector allowlist), I'd like to propose adding a second, complementary advisory scan over candidate skills.
The current skillspector workflow does static code-pattern scanning of changed skills. A different and currently-uncovered surface is the SKILL.md content itself — prompt-injection and instruction-override patterns in the skill's natural-language body, which a code-pattern scanner isn't looking for. The two are additive rather than overlapping.
The proposal: add an advisory ATR scan, mirroring the existing skillspector job's shape so it stays low-noise:
- runs only over skills changed in the diff (same
changed_skills.py selection),
- advisory only — surfaces
::warning::, never fails CI,
- runs via
uvx/npx with no API key (ATR's default matching is static regex/heuristic, so there's nothing to call out).
ATR scans a SKILL.md directly (atr scan <path> auto-detects markdown). On the allowlist concern in #50, the intent is to keep matches high-signal so it doesn't add allowlist burden; if it can't clear that bar over the existing catalog I'd rather not add it.
If this is a direction you'd take, I'm happy to open a PR wiring it as an additional advisory job alongside skillspector. I'd frame this as CI/tooling, not a catalog skill — ATR isn't AMD-hardware-specific, so it doesn't belong in the catalog itself.
Disclosure: I maintain ATR. (For context, an ATR docs integration landed in amd/gaia #1809.)
Following on from #51 (passing major marketplace scans) and #50/#52 (reducing reliance on the SkillSpector allowlist), I'd like to propose adding a second, complementary advisory scan over candidate skills.
The current
skillspectorworkflow does static code-pattern scanning of changed skills. A different and currently-uncovered surface is theSKILL.mdcontent itself — prompt-injection and instruction-override patterns in the skill's natural-language body, which a code-pattern scanner isn't looking for. The two are additive rather than overlapping.The proposal: add an advisory ATR scan, mirroring the existing skillspector job's shape so it stays low-noise:
changed_skills.pyselection),::warning::, never fails CI,uvx/npxwith no API key (ATR's default matching is static regex/heuristic, so there's nothing to call out).ATR scans a
SKILL.mddirectly (atr scan <path>auto-detects markdown). On the allowlist concern in #50, the intent is to keep matches high-signal so it doesn't add allowlist burden; if it can't clear that bar over the existing catalog I'd rather not add it.If this is a direction you'd take, I'm happy to open a PR wiring it as an additional advisory job alongside skillspector. I'd frame this as CI/tooling, not a catalog skill — ATR isn't AMD-hardware-specific, so it doesn't belong in the catalog itself.
Disclosure: I maintain ATR. (For context, an ATR docs integration landed in amd/gaia #1809.)