laoxong/AstrBot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(neo): sanitize skill name in frontmatter to prevent injection

Browse Source 
Sanitized the name field in SKILL.md frontmatter within astrbot/core/skills/neo_skill_sync.py. This prevents potential frontmatter injection vulnerabilities by removing newlines and control characters from the skill name. Verified the fix with a reproduction script and ensured existing tests pass.
This commit is contained in:
camera-2018
2026-02-26 16:04:42 +08:00
committed by GitHub
parent e95bd8d3a6 87cbcc9875
commit 18114eafda
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
astrbot/core/skills/neo_skill_sync.py
+1
View File
@@ -95,6 +95,7 @@ def _ensure_skill_frontmatter(markdown: str, *, skill_name: str, skill_key: str)
frontmatter, body = _parse_frontmatter(markdown)
name = frontmatter.get("name") or skill_name
name = " ".join(str(name).split())
description = frontmatter.get("description") or _derive_description(body)
if not description:
description = f"Synced skill for `{skill_key}`."