fix(install): validation for long inputs and empty skill names

Author: yeasy

CHANGELOG.md

@@ -19,6 +19,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Panic on Single-Word Install**: Fixed critical panic when using `ask install <name>` with a single word argument.
 - **Uninstall Alias**: Added missing top-level `ask uninstall` alias (previously only `ask skill uninstall` worked).
 - **Documentation**: Removed invalid `skillhub/skills` repository example and clarified `mcp-builder` installation.
+- **Input Validation**: Added input length limits and stricter validation to prevent empty skill name installations from malformed inputs.
+- **Robustness**: Improved re-installation check safety.
 
 ### Changed
 - **Repository Naming**: Local cache directories now use the user-configured repository name (e.g. `anthropics`).

cmd/install.go

@@ -59,6 +59,8 @@ If no agent is specified, skills are installed to .agent/skills/ by default.`,
 	Run:  runInstall,
 }
 
+const maxInputLength = 255
+
 func runInstall(cmd *cobra.Command, args []string) {
 	// Check for offline mode
 	if offline, _ := cmd.Flags().GetBool("offline"); offline || github.OfflineMode {
@@ -103,6 +105,12 @@ func runInstall(cmd *cobra.Command, args []string) {
 
 	var expandedArgs []string
 	for _, input := range args {
+		if len(input) > maxInputLength {
+			fmt.Printf("Error: Input '%s...' is too long (max %d chars)\n", input[:20], maxInputLength)
+			failed = append(failed, input)
+			continue
+		}
+
 		// Check if input matches a configured repository name
 		var targetRepo *config.Repo
 		for i := range cfg.Repos {
@@ -576,6 +584,10 @@ func installSingleSkill(input string, global bool, agents []string, cfg *config.
 		}
 	}
 
+	if skillName == "" || strings.TrimSpace(skillName) == "" {
+		return fmt.Errorf("could not determine skill name from input '%s'", input)
+	}
+
 	fmt.Printf("Installing %s to %s...\n", skillName, scopeLabel)
 
 	// Check if already installed in all targets