laoxong/AstrBot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(neo): sanitize skill name in frontmatter to prevent injection

Browse Source 
Sanitize the `name` field in `SKILL.md` frontmatter to remove newlines and control characters. This prevents potential frontmatter injection vulnerabilities where a malicious skill name could introduce arbitrary YAML fields or corrupt the file structure.

- Modified `_ensure_skill_frontmatter` in `astrbot/core/skills/neo_skill_sync.py` to normalize whitespace in `name`.
- Ensured `name` is cast to string before splitting to handle non-string inputs safely.
This commit is contained in:
camera-2018
2026-02-26 08:03:44 +00:00
parent e95bd8d3a6
commit 87cbcc9875
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
astrbot/core/skills/neo_skill_sync.py
+1
View File
@@ -95,6 +95,7 @@ def _ensure_skill_frontmatter(markdown: str, *, skill_name: str, skill_key: str)
frontmatter, body = _parse_frontmatter(markdown)
name = frontmatter.get("name") or skill_name
name = " ".join(str(name).split())
description = frontmatter.get("description") or _derive_description(body)
if not description:
description = f"Synced skill for `{skill_key}`."