Skip to content

fix(skills): harden fix-findings and fix-review against untrusted input#14

Merged
breadoncee merged 2 commits into
mainfrom
security/harden-fix-skills
Mar 16, 2026
Merged

fix(skills): harden fix-findings and fix-review against untrusted input#14
breadoncee merged 2 commits into
mainfrom
security/harden-fix-skills

Conversation

@breadoncee

Copy link
Copy Markdown
Collaborator

Summary

  • Remove Bash from fix-findings allowed-tools to prevent command injection from malicious finding content
  • Add Security sections to both fix-findings and fix-review with path validation, content isolation, and no-auto-apply rules
  • Add explicit path validation step in fix-review Step 5 before reading/editing files

Context

skills.sh flagged fix-findings as High Risk (socket alert for shell access with untrusted input) and fix-review as Med Risk. These changes address both by:

  1. Eliminating shell access entirely from fix-findings
  2. Adding mandatory path validation (relative paths only, no .. traversal, no sensitive files)
  3. Documenting content isolation and scope restriction rules

Test plan

  • scripts/validate-skills.sh passes for all 12 skills
  • Re-run skills.sh scanner to verify risk reduction

Remove Bash from fix-findings allowed-tools to prevent command injection.
Add Security sections with path validation, content isolation, and
no-auto-apply rules to both skills.
@gemini-code-assist

Copy link
Copy Markdown

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of the fix-findings and fix-review skills. It addresses identified risks by implementing robust input validation and clarifying secure operational guidelines, thereby mitigating vulnerabilities related to untrusted input and potential command injection.

Highlights

  • fix-findings Security Enhancement: Removed Bash from the allowed-tools list for fix-findings to prevent potential command injection vulnerabilities from malicious finding content.
  • Security Sections Added: Introduced dedicated "Security" sections to both fix-findings and fix-review skill documentation, outlining mandatory path validation, content isolation, and no-auto-apply rules.
  • fix-review Path Validation: Added an explicit path validation step within the fix-review process to ensure file paths are safe before reading or editing.
Changelog
  • skills/fix-findings/SKILL.md
    • Removed Bash from the allowed-tools list to eliminate shell execution capabilities.
    • Added a comprehensive "Security" section detailing mandatory path validation, prohibition of shell execution, no auto-apply policy, and content isolation principles.
    • Updated the "Rules" section to explicitly reference the new "Security" section for path validation.
  • skills/fix-review/SKILL.md
    • Inserted a new step for explicit file path validation at the beginning of the fix application process.
    • Introduced a "Security" section outlining mandatory path validation, no auto-apply, content isolation, and scope restriction rules for handling PR review comments.
Activity
  • No human activity has been recorded on this pull request yet.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces important security hardening for the fix-findings and fix-review skills. Removing Bash from fix-findings and adding comprehensive security sections with rules for path validation and handling untrusted input are excellent changes. My review includes a few suggestions to make the security rules even more explicit and consistent across the skills, particularly regarding the definition of sensitive files and adding a scope restriction rule to fix-findings.

Note: Security Review has been skipped due to the limited scope of the PR.

Comment thread skills/fix-findings/SKILL.md Outdated
Comment thread skills/fix-findings/SKILL.md
Comment thread skills/fix-review/SKILL.md Outdated
Make sensitive file patterns more specific with concrete examples.
Add scope restriction rule to fix-findings for consistency with fix-review.
@breadoncee breadoncee self-assigned this Mar 16, 2026
@breadoncee
breadoncee merged commit 31eda90 into main Mar 16, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant