Fix shell injection in validate-frontmatter workflow

The 'Validate frontmatter' step interpolated step output directly into a double-quoted shell string, allowing a fork PR that adds a file named e.g. agents/$(curl ...).md to execute arbitrary commands on the runner. - Pass the file list via env: and reference as "$FILES" so the shell never re-evaluates the contents - Pass PR number via env: for consistency (no ${{ }} inside run:) - Gate the job on same-repo PRs only, since fork PRs are auto-closed by close-external-prs.yml anyway Impact was bounded (fork PRs get a read-only token with no secrets), but this closes the RCE-on-runner vector entirely.
Add logfire plugin (#1613 )
2026-04-29 14:02:42 +00:00 · 2026-04-27 17:38:18 -07:00 · 2026-04-27 12:37:20 -07:00 · 2026-04-27 12:37:15 -07:00 · 2026-04-27 12:37:11 -07:00 · 2026-04-27 12:37:07 -07:00
2 changed files with 114 additions and 4 deletions
--- a/.claude-plugin/marketplace.json
+++ b/.claude-plugin/marketplace.json
@@ -7,6 +7,22 @@
    "email": "support@anthropic.com"
  },
  "plugins": [
+    {
+      "name": "42crunch-api-security-testing",
+      "description": "Automate API security directly in Claude Code with 42Crunch - automatically audit OpenAPI specs, detect vulnerabilities aligned with OWASP API Security risks (including BOLA/BFLA), and apply AI-powered fixes. Designed for AI-assisted development workflows, it provides continuous guardrails through an audit->scan->remediate->validate loop, ensuring APIs meet enterprise security standards before deployment.",
+      "author": {
+        "name": "42Crunch"
+      },
+      "category": "security",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/42Crunch-AI/claude-plugins.git",
+        "path": "plugins/api-security-testing",
+        "ref": "v1.0.1",
+        "sha": "56273e0e20762d76640838300a7431c4260cad32"
+      },
+      "homepage": "https://42crunch.com"
+    },
    {
      "name": "adlc",
      "description": "Agentforce Agent Development Life Cycle — author, discover, scaffold, deploy, test, and optimize .agent files",
@@ -71,6 +87,20 @@
      },
      "homepage": "https://github.com/AikidoSec/aikido-claude-plugin"
    },
+    {
+      "name": "aiven",
+      "description": "Easily deploy managed PostgreSQL, Kafka, OpenSearch, Clickhouse, and other databases, streaming, and apps through Aiven. Free tier available, up and running in minutes.",
+      "author": {
+        "name": "Aiven"
+      },
+      "category": "database",
+      "source": {
+        "source": "github",
+        "repo": "aiven/aiven-ai-plugins",
+        "commit": "d2a7697b53826588d0faf795f39d2aa2362330da"
+      },
+      "homepage": "https://aiven.io"
+    },
    {
      "name": "alloydb",
      "description": "Create, connect, and interact with an AlloyDB for PostgreSQL database and data.",
@@ -567,6 +597,20 @@
      },
      "homepage": "https://www.datadoghq.com/"
    },
+    {
+      "name": "datarobot-agent-skills",
+      "description": "DataRobot skills for AI/ML workflows — model training, deployment, predictions, feature engineering, monitoring, explainability, data preparation, App Framework CI/CD, and external agent monitoring.",
+      "author": {
+        "name": "DataRobot"
+      },
+      "category": "development",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/datarobot-oss/datarobot-agent-skills.git",
+        "sha": "b3e8fd33d7c36592c802359026c15f3e067a0646"
+      },
+      "homepage": "https://datarobot.com"
+    },
    {
      "name": "dataverse",
      "description": "Agent skills for building on, analyzing, and managing Microsoft Dataverse — with Dataverse MCP, PAC CLI, and Python SDK.",
@@ -749,6 +793,20 @@
      "category": "development",
      "homepage": "https://github.com/anthropics/claude-plugins-public/tree/main/plugins/frontend-design"
    },
+    {
+      "name": "fullstory",
+      "description": "Connect Claude to Fullstory to query behavioral analytics, session replays, and customer experience insights.",
+      "author": {
+        "name": "Fullstory"
+      },
+      "category": "monitoring",
+      "source": {
+        "source": "github",
+        "repo": "fullstorydev/fullstory-skills",
+        "commit": "1ec5865e7ab1449f9a0859d164c4b6a8c53b6e2f"
+      },
+      "homepage": "https://www.fullstory.com"
+    },
    {
      "name": "github",
      "description": "Official GitHub MCP server for repository management. Create issues, manage pull requests, review code, search repositories, and interact with GitHub's full API directly from Claude Code.",
@@ -871,6 +929,21 @@
        }
      }
    },
+    {
+      "name": "jfrog",
+      "description": "Use the JFrog Platform from Claude Code: Artifactory repos and artifacts, security findings and exposures, Catalog package safety and downloads, workflows across the SDLC, and platform administration.",
+      "author": {
+        "name": "JFrog Ltd.",
+        "url": "https://jfrog.com"
+      },
+      "category": "security",
+      "source": {
+        "source": "github",
+        "repo": "jfrog/claude-plugin",
+        "commit": "761921eaa12b845beba1688d699a2d45091dfe83"
+      },
+      "homepage": "https://jfrog.com"
+    },
    {
      "name": "kotlin-lsp",
      "description": "Kotlin language server for code intelligence",
@@ -966,6 +1039,21 @@
      },
      "homepage": "https://github.com/Shopify/liquid-skills/tree/main/plugins/liquid-skills"
    },
+    {
+      "name": "logfire",
+      "description": "Add Logfire observability to Python applications with auto-instrumentation for FastAPI, httpx, asyncpg, SQLAlchemy, and more",
+      "author": {
+        "name": "Pydantic"
+      },
+      "category": "monitoring",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/pydantic/skills.git",
+        "path": "plugins/logfire",
+        "ref": "main"
+      },
+      "homepage": "https://github.com/pydantic/skills/tree/main/plugins/logfire"
+    },
    {
      "name": "lua-lsp",
      "description": "Lua language server for code intelligence",
@@ -1368,6 +1456,21 @@
      },
      "homepage": "https://quarkus.io"
    },
+    {
+      "name": "rails-query",
+      "description": "Run read-only database queries against a Ruby on Rails 8.2+ app's database via `rails query` — ActiveRecord or SQL, schema/model introspection, EXPLAIN, pagination, and remote execution via Kamal.",
+      "author": {
+        "name": "Lewis Buckley",
+        "url": "https://github.com/lewispb"
+      },
+      "category": "development",
+      "source": {
+        "source": "github",
+        "repo": "lewispb/rails-query-skill",
+        "commit": "0f53fa861089e1f46097db9a92aea311f340c355"
+      },
+      "homepage": "https://github.com/lewispb/rails-query-skill"
+    },
    {
      "name": "railway",
      "description": "Deploy and manage apps, databases, and infrastructure on Railway. Covers project setup, deploys, environment configuration, networking, troubleshooting, and monitoring.",
--- a/.github/workflows/validate-frontmatter.yml
+++ b/.github/workflows/validate-frontmatter.yml
@@ -9,6 +9,10 @@ on:

 jobs:
  validate:
+    # Fork PRs are auto-closed by close-external-prs.yml, so skip validation
+    # for them entirely. This also prevents untrusted filenames from forks
+    # from ever reaching the shell steps below.
+    if: github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@@ -20,16 +24,19 @@ jobs:

      - name: Get changed frontmatter files
        id: changed
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          # Use diff-filter=AMRC to exclude deleted files (D) - only Added, Modified, Renamed, Copied
-          FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only --diff-filter=AMRC | grep -E '(agents/.*\.md|skills/.*/SKILL\.md|commands/.*\.md)$' || true)
+          FILES=$(gh pr diff "$PR_NUMBER" --name-only --diff-filter=AMRC | grep -E '(agents/.*\.md|skills/.*/SKILL\.md|commands/.*\.md)$' || true)
          echo "files<<EOF" >> "$GITHUB_OUTPUT"
          echo "$FILES" >> "$GITHUB_OUTPUT"
          echo "EOF" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: ${{ github.token }}

      - name: Validate frontmatter
        if: steps.changed.outputs.files != ''
+        env:
+          FILES: ${{ steps.changed.outputs.files }}
        run: |
-          echo "${{ steps.changed.outputs.files }}" | xargs bun .github/scripts/validate-frontmatter.ts
+          printf '%s\n' "$FILES" | xargs bun .github/scripts/validate-frontmatter.ts
Author	SHA1	Message	Date
Dickson Tsai	068a59e000	Fix shell injection in validate-frontmatter workflow The 'Validate frontmatter' step interpolated step output directly into a double-quoted shell string, allowing a fork PR that adds a file named e.g. agents/$(curl ...).md to execute arbitrary commands on the runner. - Pass the file list via env: and reference as "$FILES" so the shell never re-evaluates the contents - Pass PR number via env: for consistency (no ${{ }} inside run:) - Gate the job on same-repo PRs only, since fork PRs are auto-closed by close-external-prs.yml anyway Impact was bounded (fork PRs get a read-only token with no secrets), but this closes the RCE-on-runner vector entirely.	2026-04-27 17:38:18 -07:00
Bryan Thompson	1c81b81299	Add logfire plugin (#1613 )	2026-04-27 12:37:20 -07:00
Bryan Thompson	7d42fe2132	Add 42crunch-api-security-testing plugin (#1580 )	2026-04-27 12:37:15 -07:00
Bryan Thompson	71545a2994	Add datarobot-agent-skills plugin (#1579 )	2026-04-27 12:37:11 -07:00
Bryan Thompson	458b2799c5	Add aiven plugin (#1578 )	2026-04-27 12:37:07 -07:00
Bryan Thompson	26973b887b	Add fullstory plugin (#1577 )	2026-04-27 12:37:03 -07:00
Bryan Thompson	6fc0a4b36a	Add jfrog plugin (#1576 )	2026-04-27 12:36:58 -07:00
Bryan Thompson	27cab8ee35	Add rails-query plugin (#1575 )	2026-04-27 12:36:54 -07:00