fix(security): address path traversal and CRLF vulnerabilities

- agent.ts: Sanitize skill.name when building default filename
- publish.ts: Add sanitizeSkillName() to validate skill names before
  using in file paths, verify resolved paths stay within target dir
- skill-converter.ts: Normalize CRLF to LF before extracting body
  content to handle Windows-style line endings
- wellknown.ts: Add sanitizeSkillName() to validate remote skill names,
  verify resolved paths stay within temp dir, encode URL components

Author: rohitg00

packages/cli/src/commands/publish.ts

@@ -1,9 +1,21 @@
 import { existsSync, readFileSync, mkdirSync, writeFileSync, readdirSync, statSync } from 'node:fs';
-import { join, basename, dirname } from 'node:path';
+import { join, basename, dirname, resolve } from 'node:path';
 import chalk from 'chalk';
 import { Command, Option } from 'clipanion';
 import { generateWellKnownIndex, type WellKnownSkill } from '@skillkit/core';
 
+function sanitizeSkillName(name: string): string | null {
+  if (!name || typeof name !== 'string') return null;
+  const base = basename(name);
+  if (base !== name || name.includes('..') || name.includes('/') || name.includes('\\')) {
+    return null;
+  }
+  if (!/^[a-zA-Z0-9._-]+$/.test(name)) {
+    return null;
+  }
+  return name;
+}
+
 interface SkillFrontmatter {
   name?: string;
   description?: string;
@@ -61,19 +73,33 @@ export class PublishCommand extends Command {
 
     const wellKnownSkills: WellKnownSkill[] = [];
 
+    const validSkills: Array<{ name: string; safeName: string; description?: string; path: string }> = [];
+
     for (const skill of discoveredSkills) {
+      const safeName = sanitizeSkillName(skill.name);
+      if (!safeName) {
+        console.log(chalk.yellow(`  ${chalk.yellow('⚠')} Skipping "${skill.name}" (invalid name - must be alphanumeric with hyphens/underscores)`));
+        continue;
+      }
+
       const files = this.getSkillFiles(skill.path);
-      console.log(chalk.dim(`  ${chalk.green('●')} ${skill.name}`));
+      console.log(chalk.dim(`  ${chalk.green('●')} ${safeName}`));
       console.log(chalk.dim(`    Description: ${skill.description || 'No description'}`));
       console.log(chalk.dim(`    Files: ${files.join(', ')}`));
 
+      validSkills.push({ name: skill.name, safeName, description: skill.description, path: skill.path });
       wellKnownSkills.push({
-        name: skill.name,
+        name: safeName,
         description: skill.description,
         files,
       });
     }
 
+    if (validSkills.length === 0) {
+      console.error(chalk.red('\nNo valid skills to publish'));
+      return 1;
+    }
+
     console.log('');
 
     if (this.dryRun) {
@@ -94,14 +120,23 @@ export class PublishCommand extends Command {
     const wellKnownDir = join(outputDir, '.well-known', 'skills');
     mkdirSync(wellKnownDir, { recursive: true });
 
-    for (const skill of discoveredSkills) {
-      const skillDir = join(wellKnownDir, skill.name);
+    for (const skill of validSkills) {
+      const skillDir = join(wellKnownDir, skill.safeName);
+      const resolvedSkillDir = resolve(skillDir);
+      const resolvedWellKnownDir = resolve(wellKnownDir);
+
+      if (!resolvedSkillDir.startsWith(resolvedWellKnownDir)) {
+        console.log(chalk.yellow(`  Skipping "${skill.name}" (path traversal detected)`));
+        continue;
+      }
+
       mkdirSync(skillDir, { recursive: true });
 
       const files = this.getSkillFiles(skill.path);
       for (const file of files) {
+        const safeFile = basename(file);
         const sourcePath = join(skill.path, file);
-        const destPath = join(skillDir, file);
+        const destPath = join(skillDir, safeFile);
         const content = readFileSync(sourcePath, 'utf-8');
         writeFileSync(destPath, content);
       }

packages/core/src/agents/skill-converter.ts

@@ -209,6 +209,7 @@ function appendYamlList(lines: string[], key: string, items?: string[]): void {
 
 /**
  * Extract body content from skill markdown (without frontmatter)
+ * Handles both Unix (LF) and Windows (CRLF) line endings
  */
 function extractBodyContent(content: string): string {
   const normalized = content.replace(/\r\n/g, '\n');

packages/core/src/providers/wellknown.ts

@@ -1,11 +1,23 @@
 import { existsSync, mkdirSync, writeFileSync, rmSync } from 'node:fs';
-import { join, basename } from 'node:path';
+import { join, basename, resolve } from 'node:path';
 import { tmpdir } from 'node:os';
 import { randomUUID } from 'node:crypto';
 import type { GitProviderAdapter, CloneOptions } from './base.js';
 import { isGitUrl, isLocalPath } from './base.js';
 import type { GitProvider, CloneResult } from '../types.js';
 
+function sanitizeSkillName(name: string): string | null {
+  if (!name || typeof name !== 'string') return null;
+  const base = basename(name);
+  if (base !== name || name.includes('..') || name.includes('/') || name.includes('\\')) {
+    return null;
+  }
+  if (!/^[a-zA-Z0-9._-]+$/.test(name)) {
+    return null;
+  }
+  return name;
+}
+
 export interface WellKnownSkill {
   name: string;
   description?: string;
@@ -94,18 +106,31 @@ export class WellKnownProvider implements GitProviderAdapter {
       const baseSkillsUrl = calculateBaseSkillsUrl(foundUrl);
 
       for (const skill of index.skills) {
-        const skillDir = join(tempDir, skill.name);
+        const safeName = sanitizeSkillName(skill.name);
+        if (!safeName) {
+          continue;
+        }
+
+        const skillDir = join(tempDir, safeName);
+        const resolvedSkillDir = resolve(skillDir);
+        const resolvedTempDir = resolve(tempDir);
+
+        if (!resolvedSkillDir.startsWith(resolvedTempDir + '/') && resolvedSkillDir !== resolvedTempDir) {
+          continue;
+        }
+
         mkdirSync(skillDir, { recursive: true });
 
         let hasSkillMd = false;
 
         for (const file of skill.files) {
-          const fileUrl = `${baseSkillsUrl}/${skill.name}/${file}`;
+          const fileUrl = `${baseSkillsUrl}/${encodeURIComponent(skill.name)}/${encodeURIComponent(file)}`;
           try {
             const response = await fetch(fileUrl);
             if (response.ok) {
               const content = await response.text();
-              writeFileSync(join(skillDir, basename(file)), content);
+              const safeFileName = basename(file);
+              writeFileSync(join(skillDir, safeFileName), content);
 
               if (file === 'SKILL.md' || file.endsWith('/SKILL.md')) {
                 hasSkillMd = true;
@@ -117,10 +142,10 @@ export class WellKnownProvider implements GitProviderAdapter {
         }
 
         if (hasSkillMd) {
-          skills.push(skill.name);
+          skills.push(safeName);
           discoveredSkills.push({
-            name: skill.name,
-            dirName: skill.name,
+            name: safeName,
+            dirName: safeName,
             path: skillDir,
           });
         }