Summary
The frontmatter validator should detect potentially dangerous content in YAML frontmatter values that could cause problems for downstream consumers (CI systems, web UIs, skill registries) that interpolate or render these values.
Background
The current frontmatter validation (structure/frontmatter.go) checks required fields, enforces format/length constraints, and detects keyword stuffing. It uses Go's gopkg.in/yaml.v3, which is inherently safe against YAML deserialization attacks (e.g., !!python/object). However, it does not inspect the content of string values for patterns that are never legitimate in skill metadata but could be exploited by downstream systems.
What to detect
Template injection syntax in frontmatter values
Patterns like {{, ${{, and <% in frontmatter string values. These are template delimiters for Go templates, GitHub Actions expressions, and ERB/EJS respectively. If a downstream consumer interpolates a frontmatter value (e.g., rendering the skill name or description in a workflow or web page), these could lead to injection.
Examples of what should be flagged:
name: my-skill
description: "Run ${{ secrets.GITHUB_TOKEN }} to authenticate"name: my-skill
description: "Use {{ .Config.PrivateKey }} for setup"name: my-skill
description: "<%= system('whoami') %>"Null bytes in any frontmatter field
The character \x00 (null byte) in any frontmatter string value. Null bytes have no legitimate purpose in skill metadata and can cause truncation or parsing inconsistencies in C-based string handling, file systems, and some web frameworks.
YAML type coercion tags (informational)
While Go's YAML library handles these safely, tags like !!python/object, !!ruby/object/, and !!binary in frontmatter are a strong signal that the content was either crafted for a different parser or is intentionally malicious. These should produce at minimum an informational warning, since skills validated here may later be parsed by Python or Ruby tooling.
Proposed severity levels
| Pattern |
Level |
Template injection syntax ({{, ${{, <%) |
WARNING |
Null bytes (\x00) |
ERROR |
YAML type coercion tags (!!python/, !!ruby/, !!binary) |
WARNING |
Implementation notes
- The check should run in
CheckFrontmatter() alongside existing field validations
- Template injection patterns should be checked against all string-typed frontmatter values (name, description, license, compatibility, metadata values)
- Null byte check can scan the raw frontmatter string before YAML parsing
- YAML tag check can scan the raw frontmatter string for
!! prefixed tags
- False positive rate should be near zero — these patterns have no legitimate use in skill metadata
Summary
The frontmatter validator should detect potentially dangerous content in YAML frontmatter values that could cause problems for downstream consumers (CI systems, web UIs, skill registries) that interpolate or render these values.
Background
The current frontmatter validation (
structure/frontmatter.go) checks required fields, enforces format/length constraints, and detects keyword stuffing. It uses Go'sgopkg.in/yaml.v3, which is inherently safe against YAML deserialization attacks (e.g.,!!python/object). However, it does not inspect the content of string values for patterns that are never legitimate in skill metadata but could be exploited by downstream systems.What to detect
Template injection syntax in frontmatter values
Patterns like
{{,${{, and<%in frontmatter string values. These are template delimiters for Go templates, GitHub Actions expressions, and ERB/EJS respectively. If a downstream consumer interpolates a frontmatter value (e.g., rendering the skill name or description in a workflow or web page), these could lead to injection.Examples of what should be flagged:
Null bytes in any frontmatter field
The character
\x00(null byte) in any frontmatter string value. Null bytes have no legitimate purpose in skill metadata and can cause truncation or parsing inconsistencies in C-based string handling, file systems, and some web frameworks.YAML type coercion tags (informational)
While Go's YAML library handles these safely, tags like
!!python/object,!!ruby/object/, and!!binaryin frontmatter are a strong signal that the content was either crafted for a different parser or is intentionally malicious. These should produce at minimum an informational warning, since skills validated here may later be parsed by Python or Ruby tooling.Proposed severity levels
{{,${{,<%)\x00)!!python/,!!ruby/,!!binary)Implementation notes
CheckFrontmatter()alongside existing field validations!!prefixed tags